Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Native JSON logging [Fixed, and changed output format] #15

Closed
t3chn0m4g3 opened this issue Jan 21, 2022 · 17 comments
Closed

Native JSON logging [Fixed, and changed output format] #15

t3chn0m4g3 opened this issue Jan 21, 2022 · 17 comments

Comments

@t3chn0m4g3
Copy link

Any chance you could support native JSON file logging? This would make ingesting into the ELK stack a lot more straight forward.

Currently there already is a JSON message part of the logs ...

[2022-01-21 11:24:16,395] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 54161, 'username': 'adm', 'password': 'test'}]
[2022-01-21 11:24:17,055] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'ip': '1.2.3.4', 'port': 44822}]
[2022-01-21 11:24:17,762] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 44822, 'username': 'bob', 'password': 'bob'}]

... but having this type of format would be very helpful

{"timestamp": "2022-01-21T11:19:41.948469Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:43.350640Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22, "username": "demo", "password": "password"}
{"timestamp": "2022-01-21T11:19:44.047591Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:46.211620Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22, "username": "root", "password": "administrator"}

In my fork I adjusted all honeypots accordingly as a PoC if you are looking for samples.
@giga-a
Copy link
Member

giga-a commented Jan 21, 2022

Hey @t3chn0m4g3!
Yes, I can support native JSON file logging.
I'm working on it.. :)

@t3chn0m4g3
Copy link
Author

Awesome, looking forward to it :)

@giga-a giga-a closed this as completed in 0caeb72 Jan 22, 2022
@giga-a giga-a reopened this Jan 22, 2022
@giga-a
Copy link
Member

giga-a commented Jan 22, 2022
edited

Okay!

  • Added the ISO timestamp to output
  • Added dst_ip, and dst_port to all honeypots
  • Added one wrapper that changes server to protocol
  • All the output is native JSON (terminal, file, and syslog)
pip3 install honeypots==0.40
pip3 install honeypots[test]==0.40
import honeypots
from time import sleep
for server, cls in honeypots.__dict__.items():
    if server.endswith('Server'):
        print("Start testing {}".format(server))
        temp_server = cls(ip='172.17.0.1')
        temp_server.run_server(process=True, auto=True)
        sleep(2)
        temp_server.test_server()
        temp_server.kill_server()
        print("Done testing {}".format(server))
honeypots.clean_all()
Start testing QDNSServer
{"action": "process", "protocol": "dns", "src_ip": "172.17.0.1", "src_port": "48219", "status": "success", "timestamp": "2022-01-22T03:46:07.236534"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "48219", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.257576"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "48219", "payload": "<A address=93.184.216.34 ttl=9760>", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.258078"}
Done testing QDNSServer
Start testing QFTPServer
{"action": "process", "password": "test", "protocol": "ftp", "src_ip": "172.17.0.1", "src_port": "37849", "status": "success", "timestamp": "2022-01-22T03:46:09.307283", "username": "test"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37849", "password": "test", "protocol": "ftp", "src_ip": "192.168.0.15", "src_port": "37562", "status": "success", "timestamp": "2022-01-22T03:46:11.315935", "username": "test"}
Done testing QFTPServer
Start testing QHTTPProxyServer
{"action": "process", "protocol": "http_proxy", "src_ip": "172.17.0.1", "src_port": "44331", "status": "success", "timestamp": "2022-01-22T03:46:11.364338"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "44331", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.372712"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "44331", "payload": "yahoo.com", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.373067"}
Done testing QHTTPProxyServer
Start testing QHTTPServer
{"action": "process", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:14.188397", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197069"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197296"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/login.html"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200447"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200583"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "38941", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:16.200763", "username": "test"}
Done testing QHTTPServer
Start testing QHTTPSServer
{"action": "process", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:16.244015", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261230"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261458"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274140"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274257"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "35595", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:18.274401", "username": "test"}
Done testing QHTTPSServer
Start testing QSMBServer
{"action": "process", "folders": "", "password": "test", "protocol": "smb", "src_ip": "172.17.0.1", "src_port": "56551", "status": "success", "timestamp": "2022-01-22T03:46:18.320754", "username": "test"}
{"action": "connection", "msg": "Incoming connection (192.168.0.15,39082)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.323695"}
{"action": "connection", "msg": "AUTHENTICATE_MESSAGE (\\test,)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339748"}
{"action": "connection", "msg": "User \\test authenticated successfully", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339984"}
Done testing QSMBServer
Start testing QSMTPServer
{"action": "process", "password": "test", "protocol": "smtp", "src_ip": "172.17.0.1", "src_port": "50453", "status": "success", "timestamp": "2022-01-22T03:46:20.384605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "50453", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "timestamp": "2022-01-22T03:46:22.392849"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "50453", "password": "test", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "status": "success", "timestamp": "2022-01-22T03:46:22.394828", "username": "test"}
Done testing QSMTPServer
Start testing QSSHServer
{"action": "process", "password": "test", "protocol": "ssh", "src_ip": "172.17.0.1", "src_port": "49757", "status": "success", "timestamp": "2022-01-22T03:46:22.439677", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "49757", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "timestamp": "2022-01-22T03:46:24.443775"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "49757", "password": "test", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "status": "success", "timestamp": "2022-01-22T03:46:24.454809", "username": "test"}
Authentication failed.
Done testing QSSHServer
Start testing QTelnetServer
{"action": "process", "password": "test", "protocol": "telnet", "src_ip": "172.17.0.1", "src_port": "39479", "status": "success", "timestamp": "2022-01-22T03:46:24.498269", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "39479", "protocol": "telnet", "src_ip": "192.168.0.15", "src_port": "60446", "timestamp": "2022-01-22T03:46:26.505243"}
Done testing QTelnetServer
Start testing QPOP3Server
{"action": "process", "password": "test", "protocol": "pop3", "src_ip": "172.17.0.1", "src_port": "41969", "status": "success", "timestamp": "2022-01-22T03:46:26.551721", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "41969", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "timestamp": "2022-01-22T03:46:28.557634"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "41969", "password": "test", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "status": "success", "timestamp": "2022-01-22T03:46:28.559334", "username": "test"}
Done testing QPOP3Server
Start testing QSOCKS5Server
{"action": "process", "password": "test", "protocol": "socks5", "src_ip": "172.17.0.1", "src_port": "37097", "status": "success", "timestamp": "2022-01-22T03:46:28.606605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "37097", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "timestamp": "2022-01-22T03:46:30.612379"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37097", "password": "test", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "status": "success", "timestamp": "2022-01-22T03:46:30.613297", "username": "test"}
Done testing QSOCKS5Server
Start testing QPostgresServer
{"action": "process", "password": "test", "protocol": "postgres", "src_ip": "172.17.0.1", "src_port": "43673", "status": "success", "timestamp": "2022-01-22T03:46:30.666260", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43673", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "timestamp": "2022-01-22T03:46:32.670760"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43673", "password": "test", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "status": "success", "timestamp": "2022-01-22T03:46:32.672212", "username": "test"}
Done testing QPostgresServer
Start testing QIMAPServer
{"action": "process", "password": "test", "protocol": "imap", "src_ip": "172.17.0.1", "src_port": "42407", "status": "success", "timestamp": "2022-01-22T03:46:32.717512", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "42407", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "timestamp": "2022-01-22T03:46:34.727452"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "42407", "password": "test", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "status": "success", "timestamp": "2022-01-22T03:46:34.729479", "username": "test"}
Done testing QIMAPServer
Start testing QRedisServer
{"action": "process", "password": "test", "protocol": "redis", "src_ip": "172.17.0.1", "src_port": "59159", "status": "success", "timestamp": "2022-01-22T03:46:34.792641", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "59159", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "timestamp": "2022-01-22T03:46:36.814495"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "59159", "password": "test", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "status": "success", "timestamp": "2022-01-22T03:46:36.815203", "username": "test"}
Done testing QRedisServer
Start testing QMysqlServer
{"action": "process", "password": "test", "protocol": "mysql", "src_ip": "172.17.0.1", "src_port": "48059", "status": "success", "timestamp": "2022-01-22T03:46:36.862184", "username": "test"}
{"action": "connection", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "timestamp": "2022-01-22T03:46:38.889361"}
{"action": "login", "password": "test", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "status": "success", "timestamp": "2022-01-22T03:46:38.891153", "username": "test"}
Done testing QMysqlServer
Start testing QMSSQLServer
{"action": "process", "password": "test", "protocol": "mssql", "src_ip": "172.17.0.1", "src_port": "45141", "status": "success", "timestamp": "2022-01-22T03:46:38.939657", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "45141", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "timestamp": "2022-01-22T03:46:40.949323"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "45141", "password": "test", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "status": "success", "timestamp": "2022-01-22T03:46:40.950085", "username": "test"}
Done testing QMSSQLServer
Start testing QElasticServer
{"action": "process", "password": "test", "protocol": "elastic", "src_ip": "172.17.0.1", "src_port": "51143", "status": "success", "timestamp": "2022-01-22T03:46:41.003913", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "timestamp": "2022-01-22T03:46:43.053909"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "status": "success", "timestamp": "2022-01-22T03:46:43.054433", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "timestamp": "2022-01-22T03:46:43.058029"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "status": "success", "timestamp": "2022-01-22T03:46:43.058657", "username": "elastic"}
Done testing QElasticServer
Start testing QVNCServer
{"action": "process", "password": "test", "protocol": "vnc", "src_ip": "172.17.0.1", "src_port": "57851", "status": "success", "timestamp": "2022-01-22T03:46:43.102100", "username": "test"}
Done testing QVNCServer
Start testing QLDAPServer
{"action": "process", "password": "test", "protocol": "ldap", "src_ip": "172.17.0.1", "src_port": "40765", "status": "success", "timestamp": "2022-01-22T03:46:45.152067", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "40765", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "timestamp": "2022-01-22T03:46:47.210234"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "40765", "password": "test", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "status": "success", "timestamp": "2022-01-22T03:46:47.211163", "username": "test"}
Done testing QLDAPServer
Start testing QNTPServer
{"action": "process", "protocol": "ntp", "src_ip": "172.17.0.1", "src_port": "36495", "status": "success", "timestamp": "2022-01-22T03:46:47.253987"}
{"action": "connection", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "timestamp": "2022-01-22T03:46:49.257737"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "36495", "mode": "3", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "status": "success", "timestamp": "2022-01-22T03:46:49.258455", "version": "3"}
Done testing QNTPServer
Start testing QMemcacheServer
{"action": "process", "protocol": "memcache", "src_ip": "172.17.0.1", "src_port": "35825", "status": "success", "timestamp": "2022-01-22T03:46:49.306115"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.308398"}
{"action": "stats", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.309034"}
Done testing QMemcacheServer
Start testing QOracleServer
{"action": "process", "protocol": "oracle", "src_ip": "172.17.0.1", "src_port": "43345", "status": "success", "timestamp": "2022-01-22T03:46:51.353859"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43345", "protocol": "oracle", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357137"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43345", "local_user": "xxxxxxxxxxxxxx", "program": "linux_1", "protocol": "oracle", "service_name": "xe", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357850"}
Done testing QOracleServer
Start testing QSNMPServer
{"action": "process", "protocol": "snmp", "src_ip": "172.17.0.1", "src_port": "52579", "status": "success", "timestamp": "2022-01-22T03:46:53.416258"}
Done testing QSNMPServer

I pushed that as honeypots==0.40 - Let me know your thoughts (Is there anything I missed or anything you would like me to add?)

@t3chn0m4g3
Copy link
Author

Awesome. I will be running detailed tests with the ELK stack.

@t3chn0m4g3
Copy link
Author

Just started with the testing and I noticed the following:

  1. Did the config.json format change? The config I was using for the previous version worked fine, but it's ignoring the port settings. All honeypot services (--setup all) start up with a dynamic port.
Recreating honeypots ... done
Attaching to honeypots
honeypots    | [x] Use [Enter] to exit or python3 -m honeypots --kill
honeypots    | [x] config.json file overrides --ip, --port, --username and --password
honeypots    | {"action": "process", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "34817", "status": "success", "timestamp": "2022-01-24T16:59:48.930976"}
honeypots    | {"action": "process", "password": "anonymous", "protocol": "ftp", "src_ip": "0.0.0.0", "src_port": "53323", "status": "success", "timestamp": "2022-01-24T16:59:48.937545", "username": "ftp"}
honeypots    | {"action": "process", "protocol": "http_proxy", "src_ip": "0.0.0.0", "src_port": "36907", "status": "success", "timestamp": "2022-01-24T16:59:48.946403"}
honeypots    | {"action": "process", "password": "admin", "protocol": "http", "src_ip": "0.0.0.0", "src_port": "45557", "status": "success", "timestamp": "2022-01-24T16:59:48.955996", "username": "admin"}
honeypots    | {"action": "process", "password": "admin", "protocol": "https", "src_ip": "0.0.0.0", "src_port": "58005", "status": "success", "timestamp": "2022-01-24T16:59:48.982523", "username": "admin"}
honeypots    | {"action": "process", "password": "123456", "protocol": "imap", "src_ip": "0.0.0.0", "src_port": "37923", "status": "success", "timestamp": "2022-01-24T16:59:49.009122", "username": "root"}

Setting up the port manually on the commad line works fine, but also noticing that the src_port / src_ip should be logged as dest_ip / dest_port. This was probably part of the change from the original ip and port logic.

/opt/honeypots $ python3 honeypots --setup ssh --port 22
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] Parsing honeypot [normal]
{"action": "process", "password": "test", "protocol": "ssh", "src_ip": "0.0.0.0", "src_port": "22", "status": "success", "timestamp": "2022-01-24T17:05:04.396074", "username": "test"}
[x] Everything looks good!
  1. Having an option to specify a logfile name that can be taken care of easily by logrotate is something that really helps keeping track of logs. The current implementation adds a UUID without a suffix which makes log file management hard to handle on daily basis.
    image

Happy to continue testing, please let me know if the config needs adjustments or it needs to be loaded differently, but I could not see any changes.

@giga-a
Copy link
Member

giga-a commented Jan 24, 2022
edited

Hey @t3chn0m4g3 :) Thanks for sharing that - and I just fixed all of them.

Did the config.json format change? The config I was using for the previous version worked fine, but it's ignoring the port settings. All honeypot services (--setup all) start up with a dynamic port.

There are a few changes, but the issue was related to this line, when replaced all the 'port' with 'src_port', this one got replaced too..

                        if var == 'src_port':
                            setattr(self, 'auto_disabled', True)

Setting up the port manually on the commad line works fine, but also noticing that the src_port / src_ip should be logged as dest_ip / dest_port. This was probably part of the change from the original ip and port logic.

My bad, I fixed that

import honeypots
from time import sleep
from pkg_resources import get_distribution
print("Version: ",get_distribution('honeypots').version)
for server, cls in honeypots.__dict__.items():
    if server.endswith('Server'):
        print("Start testing {}".format(server))
        temp_server = cls()
        temp_server.run_server(process=True, auto=True)
        sleep(2)
        temp_server.test_server()
        temp_server.kill_server()
        print("Done testing {}".format(server))
honeypots.clean_all()
exit()

output

Version:  0.41
Start testing QDNSServer
{"action": "process", "dest_ip": "0.0.0.0", "dest_port": "51229", "protocol": "dns", "status": "success", "timestamp": "2022-01-24T19:42:03.399035"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "43297", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.416242"}
{"action": "query", "dest_ip": "127.0.0.1", "dest_port": "43297", "payload": "<A address=93.184.216.34 ttl=5644>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.416472"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "54958", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.532517"}
{"action": "query", "dest_ip": "127.0.0.1", "dest_port": "54958", "payload": "<A address=93.184.216.34 ttl=13561>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.532611"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "43065", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.748014"}
...
...
...

Having an option to specify a logfile name that can be taken care of easily by logrotate is something that really helps keeping track of logs. The current implementation adds a UUID without a suffix which makes log file management hard to handle on daily basis.

I added an option for that, in each honeypot you can specify the log rotate options (file name, max bytes and backup count). The file name gets joined with the logs_location.

Happy to continue testing, please let me know if the config needs adjustments or it needs to be loaded differently, but I could not see any changes.

Here is a new config file based on the one shared

sudo -E python3 -m honeypots --setup all --config config.json
{
  "logs": "file,terminal,json,tpot",
  "logs_location":"/var/log/honeypots/",
  "syslog_address": "",
  "syslog_facility": 0,
  "postgres": "",
  "db_options": [],
  "filter": "",
  "interface": "",
  "honeypots": {
    "dns": {
      "port": 53,
      "ip": "0.0.0.0",
      "username": "administrator",
      "password": "123456",
      "log_file_name": "dns.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "ftp": {
      "port": 21,
      "ip": "0.0.0.0",
      "username": "ftp",
      "password": "anonymous",
      "log_file_name": "ftp.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "httpproxy": {
      "port": 8080,
      "ip": "0.0.0.0",
      "username": "admin",
      "password": "admin",
      "log_file_name": "httpproxy.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "http": {
      "port": 80,
      "ip": "0.0.0.0",
      "username": "admin",
      "password": "admin",
      "log_file_name": "http.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "https": {
      "port": 443,
      "ip": "0.0.0.0",
      "username": "admin",
      "password": "admin",
      "log_file_name": "https.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "imap": {
      "port": 143,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "imap.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "mysql": {
      "port": 3306,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "mysql.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "pop3": {
      "port": 110,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "pop3.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "postgres": {
      "port": 5432,
      "ip": "0.0.0.0",
      "username": "postgres",
      "password": "123456",
      "log_file_name": "postgres.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "redis": {
      "port": 6379,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "",
      "log_file_name": "redis.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "smb": {
      "port": 445,
      "ip": "0.0.0.0",
      "username": "administrator",
      "password": "123456",
      "log_file_name": "smb.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "smtp": {
      "port": 25,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "smtp.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "socks5": {
      "port": 1080,
      "ip": "0.0.0.0",
      "username": "admin",
      "password": "admin",
      "log_file_name": "socks5.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "ssh": {
      "port": 22,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "ssh.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "telnet": {
      "port": 23,
      "ip": "0.0.0.0",
      "username": "root",
      "password": "123456",
      "log_file_name": "telnet.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "vnc": {
      "port": 5900,
      "ip": "0.0.0.0",
      "username": "administrator",
      "password": "123456",
      "log_file_name": "vnc.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "elastic": {
      "port": 9200,
      "ip": "0.0.0.0",
      "username": "elastic",
      "password": "123456",
      "log_file_name": "elastic.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "mssql": {
      "port": 1433,
      "ip": "0.0.0.0",
      "username": "sa",
      "password": "",
      "log_file_name": "mssql.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "ldap": {
      "port": 389,
      "ip": "0.0.0.0",
      "username": "administrator",
      "password": "123456",
      "log_file_name": "ldap.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "ntp": {
      "port": 123,
      "ip": "0.0.0.0",
      "username": "administrator",
      "password": "123456",
      "log_file_name": "ntp.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "memcache": {
      "port": 11211,
      "ip": "0.0.0.0",
      "username": "admin",
      "password": "123456",
      "log_file_name": "memcache.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "oracle": {
      "port": 1521,
      "ip": "0.0.0.0",
      "username": "bi",
      "password": "123456",
      "log_file_name": "oracle.log",
      "max_bytes": 10000,
      "backup_count": 10
    },
    "snmp": {
      "port": 161,
      "ip": "0.0.0.0",
      "username": "privUser",
      "password": "123456",
      "log_file_name": "snmp.log",
      "max_bytes": 10000,
      "backup_count": 10
    }
  }
}

List all logs

$ ls -l /var/log/honeypots/
total 88
-rw-r--r-- 1 root root  197 Jan 24 11:29 elastic.log
-rw-r--r-- 1 root root  190 Jan 24 11:29 ftp.log
-rw-r--r-- 1 root root  189 Jan 24 11:29 http.log
-rw-r--r-- 1 root root  155 Jan 24 11:29 httpproxy.log
-rw-r--r-- 1 root root  191 Jan 24 11:29 https.log
-rw-r--r-- 1 root root  190 Jan 24 11:29 imap.log
-rw-r--r-- 1 root root  199 Jan 24 11:29 ldap.log
-rw-r--r-- 1 root root  154 Jan 24 11:29 memcache.log
-rw-r--r-- 1 root root  188 Jan 24 11:29 mssql.log
-rw-r--r-- 1 root root  192 Jan 24 11:29 mysql.log
-rw-r--r-- 1 root root  147 Jan 24 11:29 ntp.log
-rw-r--r-- 1 root root  151 Jan 24 11:29 oracle.log
-rw-r--r-- 1 root root  190 Jan 24 11:29 pop3.log
-rw-r--r-- 1 root root  199 Jan 24 11:29 postgres.log
-rw-r--r-- 1 root root  190 Jan 24 11:29 redis.log
-rw-r--r-- 1 root root  213 Jan 24 11:29 smb.log
-rw-r--r-- 1 root root  189 Jan 24 11:29 smtp.log
-rw-r--r-- 1 root root  148 Jan 24 11:29 snmp.log
-rw-r--r-- 1 root root  193 Jan 24 11:29 socks5.log
-rw-r--r-- 1 root root 1243 Jan 24 11:30 ssh.log
-rw-r--r-- 1 root root  191 Jan 24 11:29 telnet.log
-rw-r--r-- 1 root root  199 Jan 24 11:29 vnc.log

Check ssh logs

tail /var/log/honeypots/ssh.log
{'timestamp': '2022-01-24T19:29:12.334929', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '22', 'username': 'root', 'password': '123456', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:29:55.371746', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50970', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:03.875390', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:08.544179', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:09.520196', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:10.288140', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}

I pushed the 0.41, let me know if works!

@t3chn0m4g3
Copy link
Author

Thank you! Ports open and logs are written as expected!

Just started testing and noticed that src / dest reversed, but not always or for all honeypots (process reports correctly, connection gets logged reversed):

{'timestamp': '2022-01-25T13:30:12.293001', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '23', 'username': 'root', 'password': '123456', 'protocol': 'telnet'}
{'timestamp': '2022-01-25T13:31:34.356248', 'action': 'connection', 'dest_ip': 'xxx.111.57.179', 'dest_port': '42120', 'src_ip': '0.0.0.0', 'src_port': '23', 'protocol': 'telnet'}

Example that logging generally works with the issue src / dest being reversed:

{'timestamp': '2022-01-25T13:30:11.948180', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '80', 'username': 'admin', 'password': 'admin', 'protocol': 'http'}
{'timestamp': '2022-01-25T13:35:59.999349', 'action': 'connection', 'dest_ip': '192.168.112.2', 'dest_port': '80', 'src_ip': '0.0.0.0', 'src_port': '80', 'request': {'Host': 'xxx.150.231.74:80', 'User-Agent': 'Linux Gnu (cow)', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-GB,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'method': 'GET', 'uri': '/'}, 'protocol': 'http'}
{'timestamp': '2022-01-25T13:35:59.999863', 'action': 'GET', 'dest_ip': '192.168.112.2', 'dest_port': '80', 'src_ip': '0.0.0.0', 'src_port': '80', 'protocol': 'http'}

Another reversed example:

{"action": "query", "dest_ip": "xxx.189.30.129", "dest_port": "59945", "payload": "<UNKNOWN data='\\x00/\\x07\\x02\\x00\\x00\\x0e\\x10a\\x87k\\xeb_\\xa6*[\\xebR\\x08pizzaseo\\x03com\\x00\\xc1\\xa4\\x1e~r\\xf7\\x00\\x90\\xc5\\xd9:\\x02\\xd8\\xea\\x1e\\x1aK\\xab\\xe4\\xe4\\xf0\\xb9\\x95U[3\\xbd\\xf0K\\x16b\\xee\\xe5\\xe7\\x8d\\xc3\\x16\\x19\\xf69\\x8a\\x02|\\xa5\\x89\\xed\\x1cj\\x00\\xdf\\nd^\\xa3B\\xe0\\xc20ir\\x0b\\xa2\\xd3\\x11\\xb8\\x14~\\x0c\\xc3\\xdf\\xb2\\xa8\\x18\\xe88\\xa5\\xb8\\x9d\\x04\\x88\\x04C2\\x00+\\xcc\\xa7p)\\xa2\\xc0f=\\xb8}\\xc3\\x80\\xd4\\x1c}\\x17\\x14\\xd6\\xb47b\\xd9~\\x90SBQ\\xa45F9\\x08\\xd8\\xc2\\x97\\xda\\x98\\xce\\xe6\\xaegc\\xc8\\x8c\\x06 \\x08(\\t\\xa1\\xd8\\xcb\\x89\\xdf\\x07\\x07\\xcfy`\"\\xe5\\xb1\\x06\\xb4\\xe6_\\xc4\\xc0\\xe14O\\xc4\\xaa\\xca;_V\\x01Gm\\x95\\xefV\\xe5\\x98\\x198\\x9b\\xf2<\\xab1\\xe8\\rRN\\x85\\xe5\\xd8\\xf2\\x08\\xae\\x03bt\\xe2$\\x04\\xf6g\\xd7\\x1e\\xc4\\xd0(7\\xc6*\\'\\x0cP\\\\\\x93cZ\\x9205\\xdf2\\xb8\\xca>O\\xb4\\x8b\\xe3U\\x8d\\x95\\x05\\xa2\\xd1\\xf1eh\\xbakj\\x94\\x11\\x19CMz\\x98\\xc9\\xdc\\xfb\\x91\\x8c\\xd75\\xf3\\xd8\\x82\\x02\\x87\\xdc\\'\\xc7\\xc9\\x83_\\xff\\x95\\x88\\xce\\nZ\\xa2\\xe3\\xdb\\x1d\\x87\\xe8\\x8c\\xfe0\\x16k\\x14\\xc4ADh\\xc8\\xe50s%\\x1b\\x0b\\x8a\\xd7*\\x1f-\\xed\\x91l\\x9c\\xa1\\xc8X\\xdf\\x11\\xc7x\\x8d\\x8e\\x91\\xf5|\\xa8\\xbd\\xcav\\xc8\\xa1\\x99\\xeb7\\x10\\x91\\xfc\\xb4\\x0e\\xd0\\'f\\xdfH\\xc5Re\\xe18e\\x07F\\xe1\\x17@\\x05\\xf8\\xda9h\\xa5E\\x12y@D\\x04\\xf9\\\\6isf)S\\xe5\\x18q\\xc6\\xe8\\xf3j\\x9bv\\x8e\\xa1\\xe4;!x\\xd1\\xe5\\x94Q\\x06\\xf3\\t\\xef\\xc5P\\x07;A\\x99\\xfd\\x00\\xc55\\x0f\\x99\\xb05\\xfe\\x0f\\x01\\x15I\\x00\\xadK\\xea\\xe3\\xb3\\xa0\\x11_\\xd7\\xc0\\x89\\x90S\\xf9\\xb5\\xd9\"\"Z\\xdb\\xa3\\x8f\\xab\\xfa\\xa3\\x86\\x12$h\\x85\\xb1\\x11\\xf93\\x9e\\xd7b\\xec\\xd4\\x84yA\\n\\xb2\\xc7f\\xb3\\xb7\\x91\\x1c?O:h\\x94xF\\x8dh\\xb8\\xf0~\\x19\\xdcy\\xd3\\xac\\xa2\\xa4z*\\xa8d\\xc47\\x17\\x85\\xb3.nc\\x94.9\\xb3a\\xc6\\x17\\xb2}k\\x15k\\xa0\\xe3\\xd5\\x04\\t\\xd8\\xfchj0A\\xf5\\xa3{\\xf5vm' ttl=3240>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "53", "timestamp": "2022-01-25T16:17:47.141234"}

Another thing I noticed, especially for SMTP, it would add so much more value, if all generated data, i.e. SMTP input commands and data would be logged and ideally with session awareness. There is so much more data right at the fingertips that could be used 😅

@giga-a
Copy link
Member

giga-a commented Jan 26, 2022
edited

@t3chn0m4g3,

Great! Glad they are working!

Just started testing and noticed that src / dest reversed, but not always or for all honeypots (process reports correctly, connection gets logged reversed)

Yes, this the initialization info msg, the telnet honeypot is getting initialized 'action': 'process', in this case it's running successfully 'status': 'success', If there is an issue it will show 'status': 'error' (No connections at this point, just info that's why there was no src_ip src_port).

{'timestamp': '2022-01-25T13:30:12.293001', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '23', 'username': 'root', 'password': '123456', 'protocol': 'telnet'}

And, this one means there is a current connection

{'timestamp': '2022-01-25T13:31:34.356248', 'action': 'connection', 'dest_ip': 'xxx.111.57.179', 'dest_port': '42120', 'src_ip': '0.0.0.0', 'src_port': '23', 'protocol': 'telnet'}

But, I added "src_ip": "0.0.0.0", "src_port": "0" to all of them, so all the output have src_ip src_port dest_ip dest_port

True! I can look at the old honeypots code and add the capabilities of SMTP and other honeypots (I was only focusing on logging the username and password). I have added this note to my To do list, and hopefully I start working on it soon!

I just pushed 0.42 which should show src_ip src_port dest_ip dest_port and fixed the smb one! 🎉 🎉 🎉 🎉

@t3chn0m4g3
Copy link
Author

Thank you!

Looking at a current brute force attempt coming from 122.186.xx.yy:

{'timestamp': '2022-01-26T11:38:39.659063', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56362', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'password1', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:40.964431', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56434', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'r00t', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:42.288664', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56525', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'tomcat', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:43.597683', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56631', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': '5201314', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:45.777623', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56730', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'system', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:47.046771', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56869', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'pass', 'protocol': 'ftp'}

According to the logs the attacker's source IP is currently logged as 'dest_ip': '122.186.xx.yy', but this should be logged as 'src_ip': '122.186.xx.yy'. The attacker's source port is usually a high port which should be logged as 'src_port':'56869'. The destination port is always the service port the honeypot is running on, i.e. 21, 22 or 23, while the destination IP is usually the IP the service is bound / exposed on, i.e. 192.168.23.64.

I was unclear what I meant with "reverse", sorry.

@giga-a giga-a pinned this issue Jan 26, 2022
@giga-a
Copy link
Member

giga-a commented Jan 27, 2022
edited

Hey @t3chn0m4g3 :)

No worries at all, my bad, I fixed that in 0.46 and added more features:

custom_filter, this can be used to filter or alter msg

  • change {} replace keys of msg with different ones, you can replace process with protocol as {"process":"protocol"} and so on
  • contains [] values that must be in the msg, otherwise the msg will be dismissed. If you have ["protocol","action"]then msg mus have protocol and action
  • remove [] values that will be removed from the msg as ['protocol','src_ip'].
  • options []
    • remove_errors removes all the error msg
    • remove_init removes all the init msg
    • remove_word_server this removes the prefix _server
    • dump_json_to_file this uses json.dumps (might not be needed, each line is serialized)

here is an example for tpot with custom_filter

{
   "logs":"file,terminal,json,tpot",
   "logs_location":"/var/log/honeypots/",
   "syslog_address":"",
   "syslog_facility":0,
   "postgres":"",
   "db_options":[],
   "filter":"",
   "interface":"",
   "honeypots":{
      "ftp":{
         "port":21,
         "ip":"0.0.0.0",
         "username":"ftp",
         "password":"anonymous",
         "log_file_name":"ftp.log",
         "max_bytes":10000,
         "backup_count":10
      }
   },
   "custom_filter":{
      "honeypots":{
         "change":{
            "server":"protocol"
         },
         "contains":[
            "protocol",
            "action",
            "src_ip",
            "src_port",
            "dest_ip",
            "dest_port"
         ],
         "remove":[],
         "options":[
            "remove_errors",
            "remove_init",
            "remove_word_server"
         ]
      }
   }
}
{"action": "login", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "we", "protocol": "ftp", "src_ip": "127.0.0.1", "src_port": "44640", "status": "failed", "timestamp": "2022-01-27T04:49:48.076218", "username": "w"}

Here is a test with the tpot.txt config file

$ sudo -E python3 -m honeypots --setup all --config '/home/test/Desktop/tpot.txt' 
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] config.json file overrides --ip, --port, --username and --password
[x] Everything looks good!
{"action": "login", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "w", "protocol": "ftp", "src_ip": "127.0.0.1", "src_port": "44522", "status": "failed", "timestamp": "2022-01-27T00:31:21.465789", "username": "w"}

$ tail /var/log/honeypots/ftp.log 
{'timestamp': '2022-01-27T00:31:21.465789', 'action': 'login', 'status': 'failed', 'src_ip': '127.0.0.1', 'src_port': '44522', 'dest_ip': '0.0.0.0', 'dest_port': '21', 'username': 'w', 'password': 'w', 'protocol': 'ftp'}

Here is the new config file for tpot.txt [updated 27/1/2022]

Let me know if that helps!

@t3chn0m4g3
Copy link
Author

This is perfect! Thank you, works as expected!

@t3chn0m4g3
Copy link
Author

t3chn0m4g3 commented Jan 27, 2022
edited

Here is the result on my end :)
dash

@giga-a
Copy link
Member

giga-a commented Jan 27, 2022

@t3chn0m4g3 Awesome, that's absolutely perfect, and I love the dashboard!!! (Haha, no one saw the IPs.. except me)

If you encounter any issues in this project or other projects, please let me know (I will start adding the stripped capabilities from STMP and other honeypots in the next month or so).

P.S. I pinned this issue because I feel that some of the honeypots users will contact me in the next few days asking about the new msg format.

@giga-a giga-a changed the title Native JSON logging Native JSON logging [Fixed, and changed output format] Jan 27, 2022
@t3chn0m4g3
Copy link
Author

What can I say... I guess it was a little bit too late (or early in the morning) 😄

@t3chn0m4g3 Awesome, that's absolutely perfect, and I love the dashboard!!! (Haha, no one saw the IPs.. except me)

Sound awesome. Thank you :)

@giga-a
Copy link
Member

giga-a commented Apr 15, 2022

@t3chn0m4g3

Another thing I noticed, especially for SMTP, it would add so much more value, if all generated data, i.e. SMTP input commands and data would be logged and ideally with session awareness. There is so much more data right at the fingertips that could be used

I added that a few months ago but totally forgot to mention it to you! You can add capture_commands to all of them and if the honeypot has the capture commands feature, it will be activated (Currently works with QFTPServer, QIMAPServer, QPOP3Server, QSMTPServer, QSIPServer and QIRCServer)

...
      "http":{
         "port":80,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"admin",
         "log_file_name":"http.log",
         "max_bytes":10000,
         "backup_count":10,
         "options":["fix_get_client_ip","capture_commands"]
      } 
...

Or you can add HONEYPOTS_OPTIONS environment variable with capture_commands

:)

@t3chn0m4g3
Copy link
Author

Awesome! Will check it out ASAP!
Thank you!

giga-a pushed a commit that referenced this issue Feb 19, 2024
@jstucke
Merge pull request #15 from fkie-cad/base-class
91641a8 
code duplication II
@jmicjmic
Copy link

Everything is functioning excellently. However, I’m seeking one additional feature: the ability to add fields, complementing the existing option to remove them. Specifically, I’d like to introduce a field named ‘tenant’ and populate it with the customer’s name.
This enhancement would provide me with improved multi-tenant management capabilities in ELK.

Hey @t3chn0m4g3 :)

No worries at all, my bad, I fixed that in 0.46 and added more features:

custom_filter, this can be used to filter or alter msg

  • change {} replace keys of msg with different ones, you can replace process with protocol as {"process":"protocol"} and so on
  • contains [] values that must be in the msg, otherwise the msg will be dismissed. If you have ["protocol","action"]then msg mus have protocol and action
  • remove [] values that will be removed from the msg as ['protocol','src_ip'].
  • options []
    • remove_errors removes all the error msg
    • remove_init removes all the init msg
    • remove_word_server this removes the prefix _server
    • dump_json_to_file this uses json.dumps (might not be needed, each line is serialized)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t3chn0m4g3 @giga-a @jmicjmic