-
-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native JSON logging [Fixed, and changed output format] #15
Comments
Hey @t3chn0m4g3! |
Awesome, looking forward to it :) |
Okay!
pip3 install honeypots==0.40
pip3 install honeypots[test]==0.40 import honeypots
from time import sleep
for server, cls in honeypots.__dict__.items():
if server.endswith('Server'):
print("Start testing {}".format(server))
temp_server = cls(ip='172.17.0.1')
temp_server.run_server(process=True, auto=True)
sleep(2)
temp_server.test_server()
temp_server.kill_server()
print("Done testing {}".format(server))
honeypots.clean_all() Start testing QDNSServer
{"action": "process", "protocol": "dns", "src_ip": "172.17.0.1", "src_port": "48219", "status": "success", "timestamp": "2022-01-22T03:46:07.236534"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "48219", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.257576"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "48219", "payload": "<A address=93.184.216.34 ttl=9760>", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.258078"}
Done testing QDNSServer
Start testing QFTPServer
{"action": "process", "password": "test", "protocol": "ftp", "src_ip": "172.17.0.1", "src_port": "37849", "status": "success", "timestamp": "2022-01-22T03:46:09.307283", "username": "test"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37849", "password": "test", "protocol": "ftp", "src_ip": "192.168.0.15", "src_port": "37562", "status": "success", "timestamp": "2022-01-22T03:46:11.315935", "username": "test"}
Done testing QFTPServer
Start testing QHTTPProxyServer
{"action": "process", "protocol": "http_proxy", "src_ip": "172.17.0.1", "src_port": "44331", "status": "success", "timestamp": "2022-01-22T03:46:11.364338"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "44331", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.372712"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "44331", "payload": "yahoo.com", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.373067"}
Done testing QHTTPProxyServer
Start testing QHTTPServer
{"action": "process", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:14.188397", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197069"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197296"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/login.html"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200447"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200583"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "38941", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:16.200763", "username": "test"}
Done testing QHTTPServer
Start testing QHTTPSServer
{"action": "process", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:16.244015", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261230"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261458"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274140"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274257"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "35595", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:18.274401", "username": "test"}
Done testing QHTTPSServer
Start testing QSMBServer
{"action": "process", "folders": "", "password": "test", "protocol": "smb", "src_ip": "172.17.0.1", "src_port": "56551", "status": "success", "timestamp": "2022-01-22T03:46:18.320754", "username": "test"}
{"action": "connection", "msg": "Incoming connection (192.168.0.15,39082)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.323695"}
{"action": "connection", "msg": "AUTHENTICATE_MESSAGE (\\test,)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339748"}
{"action": "connection", "msg": "User \\test authenticated successfully", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339984"}
Done testing QSMBServer
Start testing QSMTPServer
{"action": "process", "password": "test", "protocol": "smtp", "src_ip": "172.17.0.1", "src_port": "50453", "status": "success", "timestamp": "2022-01-22T03:46:20.384605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "50453", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "timestamp": "2022-01-22T03:46:22.392849"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "50453", "password": "test", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "status": "success", "timestamp": "2022-01-22T03:46:22.394828", "username": "test"}
Done testing QSMTPServer
Start testing QSSHServer
{"action": "process", "password": "test", "protocol": "ssh", "src_ip": "172.17.0.1", "src_port": "49757", "status": "success", "timestamp": "2022-01-22T03:46:22.439677", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "49757", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "timestamp": "2022-01-22T03:46:24.443775"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "49757", "password": "test", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "status": "success", "timestamp": "2022-01-22T03:46:24.454809", "username": "test"}
Authentication failed.
Done testing QSSHServer
Start testing QTelnetServer
{"action": "process", "password": "test", "protocol": "telnet", "src_ip": "172.17.0.1", "src_port": "39479", "status": "success", "timestamp": "2022-01-22T03:46:24.498269", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "39479", "protocol": "telnet", "src_ip": "192.168.0.15", "src_port": "60446", "timestamp": "2022-01-22T03:46:26.505243"}
Done testing QTelnetServer
Start testing QPOP3Server
{"action": "process", "password": "test", "protocol": "pop3", "src_ip": "172.17.0.1", "src_port": "41969", "status": "success", "timestamp": "2022-01-22T03:46:26.551721", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "41969", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "timestamp": "2022-01-22T03:46:28.557634"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "41969", "password": "test", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "status": "success", "timestamp": "2022-01-22T03:46:28.559334", "username": "test"}
Done testing QPOP3Server
Start testing QSOCKS5Server
{"action": "process", "password": "test", "protocol": "socks5", "src_ip": "172.17.0.1", "src_port": "37097", "status": "success", "timestamp": "2022-01-22T03:46:28.606605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "37097", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "timestamp": "2022-01-22T03:46:30.612379"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37097", "password": "test", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "status": "success", "timestamp": "2022-01-22T03:46:30.613297", "username": "test"}
Done testing QSOCKS5Server
Start testing QPostgresServer
{"action": "process", "password": "test", "protocol": "postgres", "src_ip": "172.17.0.1", "src_port": "43673", "status": "success", "timestamp": "2022-01-22T03:46:30.666260", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43673", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "timestamp": "2022-01-22T03:46:32.670760"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43673", "password": "test", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "status": "success", "timestamp": "2022-01-22T03:46:32.672212", "username": "test"}
Done testing QPostgresServer
Start testing QIMAPServer
{"action": "process", "password": "test", "protocol": "imap", "src_ip": "172.17.0.1", "src_port": "42407", "status": "success", "timestamp": "2022-01-22T03:46:32.717512", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "42407", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "timestamp": "2022-01-22T03:46:34.727452"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "42407", "password": "test", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "status": "success", "timestamp": "2022-01-22T03:46:34.729479", "username": "test"}
Done testing QIMAPServer
Start testing QRedisServer
{"action": "process", "password": "test", "protocol": "redis", "src_ip": "172.17.0.1", "src_port": "59159", "status": "success", "timestamp": "2022-01-22T03:46:34.792641", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "59159", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "timestamp": "2022-01-22T03:46:36.814495"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "59159", "password": "test", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "status": "success", "timestamp": "2022-01-22T03:46:36.815203", "username": "test"}
Done testing QRedisServer
Start testing QMysqlServer
{"action": "process", "password": "test", "protocol": "mysql", "src_ip": "172.17.0.1", "src_port": "48059", "status": "success", "timestamp": "2022-01-22T03:46:36.862184", "username": "test"}
{"action": "connection", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "timestamp": "2022-01-22T03:46:38.889361"}
{"action": "login", "password": "test", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "status": "success", "timestamp": "2022-01-22T03:46:38.891153", "username": "test"}
Done testing QMysqlServer
Start testing QMSSQLServer
{"action": "process", "password": "test", "protocol": "mssql", "src_ip": "172.17.0.1", "src_port": "45141", "status": "success", "timestamp": "2022-01-22T03:46:38.939657", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "45141", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "timestamp": "2022-01-22T03:46:40.949323"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "45141", "password": "test", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "status": "success", "timestamp": "2022-01-22T03:46:40.950085", "username": "test"}
Done testing QMSSQLServer
Start testing QElasticServer
{"action": "process", "password": "test", "protocol": "elastic", "src_ip": "172.17.0.1", "src_port": "51143", "status": "success", "timestamp": "2022-01-22T03:46:41.003913", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "timestamp": "2022-01-22T03:46:43.053909"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "status": "success", "timestamp": "2022-01-22T03:46:43.054433", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "timestamp": "2022-01-22T03:46:43.058029"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "status": "success", "timestamp": "2022-01-22T03:46:43.058657", "username": "elastic"}
Done testing QElasticServer
Start testing QVNCServer
{"action": "process", "password": "test", "protocol": "vnc", "src_ip": "172.17.0.1", "src_port": "57851", "status": "success", "timestamp": "2022-01-22T03:46:43.102100", "username": "test"}
Done testing QVNCServer
Start testing QLDAPServer
{"action": "process", "password": "test", "protocol": "ldap", "src_ip": "172.17.0.1", "src_port": "40765", "status": "success", "timestamp": "2022-01-22T03:46:45.152067", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "40765", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "timestamp": "2022-01-22T03:46:47.210234"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "40765", "password": "test", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "status": "success", "timestamp": "2022-01-22T03:46:47.211163", "username": "test"}
Done testing QLDAPServer
Start testing QNTPServer
{"action": "process", "protocol": "ntp", "src_ip": "172.17.0.1", "src_port": "36495", "status": "success", "timestamp": "2022-01-22T03:46:47.253987"}
{"action": "connection", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "timestamp": "2022-01-22T03:46:49.257737"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "36495", "mode": "3", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "status": "success", "timestamp": "2022-01-22T03:46:49.258455", "version": "3"}
Done testing QNTPServer
Start testing QMemcacheServer
{"action": "process", "protocol": "memcache", "src_ip": "172.17.0.1", "src_port": "35825", "status": "success", "timestamp": "2022-01-22T03:46:49.306115"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.308398"}
{"action": "stats", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.309034"}
Done testing QMemcacheServer
Start testing QOracleServer
{"action": "process", "protocol": "oracle", "src_ip": "172.17.0.1", "src_port": "43345", "status": "success", "timestamp": "2022-01-22T03:46:51.353859"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43345", "protocol": "oracle", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357137"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43345", "local_user": "xxxxxxxxxxxxxx", "program": "linux_1", "protocol": "oracle", "service_name": "xe", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357850"}
Done testing QOracleServer
Start testing QSNMPServer
{"action": "process", "protocol": "snmp", "src_ip": "172.17.0.1", "src_port": "52579", "status": "success", "timestamp": "2022-01-22T03:46:53.416258"}
Done testing QSNMPServer I pushed that as honeypots==0.40 - Let me know your thoughts (Is there anything I missed or anything you would like me to add?) |
Awesome. I will be running detailed tests with the ELK stack. |
Just started with the testing and I noticed the following:
Setting up the port manually on the commad line works fine, but also noticing that the
Happy to continue testing, please let me know if the config needs adjustments or it needs to be loaded differently, but I could not see any changes. |
Hey @t3chn0m4g3 :) Thanks for sharing that - and I just fixed all of them.
There are a few changes, but the issue was related to this line, when replaced all the 'port' with 'src_port', this one got replaced too.. if var == 'src_port':
setattr(self, 'auto_disabled', True)
My bad, I fixed that import honeypots
from time import sleep
from pkg_resources import get_distribution
print("Version: ",get_distribution('honeypots').version)
for server, cls in honeypots.__dict__.items():
if server.endswith('Server'):
print("Start testing {}".format(server))
temp_server = cls()
temp_server.run_server(process=True, auto=True)
sleep(2)
temp_server.test_server()
temp_server.kill_server()
print("Done testing {}".format(server))
honeypots.clean_all()
exit() output
I added an option for that, in each honeypot you can specify the log rotate options (file name, max bytes and backup count). The file name gets joined with the
Here is a new config file based on the one shared sudo -E python3 -m honeypots --setup all --config config.json {
"logs": "file,terminal,json,tpot",
"logs_location":"/var/log/honeypots/",
"syslog_address": "",
"syslog_facility": 0,
"postgres": "",
"db_options": [],
"filter": "",
"interface": "",
"honeypots": {
"dns": {
"port": 53,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "dns.log",
"max_bytes": 10000,
"backup_count": 10
},
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous",
"log_file_name": "ftp.log",
"max_bytes": 10000,
"backup_count": 10
},
"httpproxy": {
"port": 8080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "httpproxy.log",
"max_bytes": 10000,
"backup_count": 10
},
"http": {
"port": 80,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "http.log",
"max_bytes": 10000,
"backup_count": 10
},
"https": {
"port": 443,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "https.log",
"max_bytes": 10000,
"backup_count": 10
},
"imap": {
"port": 143,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "imap.log",
"max_bytes": 10000,
"backup_count": 10
},
"mysql": {
"port": 3306,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "mysql.log",
"max_bytes": 10000,
"backup_count": 10
},
"pop3": {
"port": 110,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "pop3.log",
"max_bytes": 10000,
"backup_count": 10
},
"postgres": {
"port": 5432,
"ip": "0.0.0.0",
"username": "postgres",
"password": "123456",
"log_file_name": "postgres.log",
"max_bytes": 10000,
"backup_count": 10
},
"redis": {
"port": 6379,
"ip": "0.0.0.0",
"username": "root",
"password": "",
"log_file_name": "redis.log",
"max_bytes": 10000,
"backup_count": 10
},
"smb": {
"port": 445,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "smb.log",
"max_bytes": 10000,
"backup_count": 10
},
"smtp": {
"port": 25,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "smtp.log",
"max_bytes": 10000,
"backup_count": 10
},
"socks5": {
"port": 1080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "socks5.log",
"max_bytes": 10000,
"backup_count": 10
},
"ssh": {
"port": 22,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "ssh.log",
"max_bytes": 10000,
"backup_count": 10
},
"telnet": {
"port": 23,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "telnet.log",
"max_bytes": 10000,
"backup_count": 10
},
"vnc": {
"port": 5900,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "vnc.log",
"max_bytes": 10000,
"backup_count": 10
},
"elastic": {
"port": 9200,
"ip": "0.0.0.0",
"username": "elastic",
"password": "123456",
"log_file_name": "elastic.log",
"max_bytes": 10000,
"backup_count": 10
},
"mssql": {
"port": 1433,
"ip": "0.0.0.0",
"username": "sa",
"password": "",
"log_file_name": "mssql.log",
"max_bytes": 10000,
"backup_count": 10
},
"ldap": {
"port": 389,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "ldap.log",
"max_bytes": 10000,
"backup_count": 10
},
"ntp": {
"port": 123,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "ntp.log",
"max_bytes": 10000,
"backup_count": 10
},
"memcache": {
"port": 11211,
"ip": "0.0.0.0",
"username": "admin",
"password": "123456",
"log_file_name": "memcache.log",
"max_bytes": 10000,
"backup_count": 10
},
"oracle": {
"port": 1521,
"ip": "0.0.0.0",
"username": "bi",
"password": "123456",
"log_file_name": "oracle.log",
"max_bytes": 10000,
"backup_count": 10
},
"snmp": {
"port": 161,
"ip": "0.0.0.0",
"username": "privUser",
"password": "123456",
"log_file_name": "snmp.log",
"max_bytes": 10000,
"backup_count": 10
}
}
} List all logs $ ls -l /var/log/honeypots/
total 88
-rw-r--r-- 1 root root 197 Jan 24 11:29 elastic.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 ftp.log
-rw-r--r-- 1 root root 189 Jan 24 11:29 http.log
-rw-r--r-- 1 root root 155 Jan 24 11:29 httpproxy.log
-rw-r--r-- 1 root root 191 Jan 24 11:29 https.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 imap.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 ldap.log
-rw-r--r-- 1 root root 154 Jan 24 11:29 memcache.log
-rw-r--r-- 1 root root 188 Jan 24 11:29 mssql.log
-rw-r--r-- 1 root root 192 Jan 24 11:29 mysql.log
-rw-r--r-- 1 root root 147 Jan 24 11:29 ntp.log
-rw-r--r-- 1 root root 151 Jan 24 11:29 oracle.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 pop3.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 postgres.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 redis.log
-rw-r--r-- 1 root root 213 Jan 24 11:29 smb.log
-rw-r--r-- 1 root root 189 Jan 24 11:29 smtp.log
-rw-r--r-- 1 root root 148 Jan 24 11:29 snmp.log
-rw-r--r-- 1 root root 193 Jan 24 11:29 socks5.log
-rw-r--r-- 1 root root 1243 Jan 24 11:30 ssh.log
-rw-r--r-- 1 root root 191 Jan 24 11:29 telnet.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 vnc.log Check ssh logs tail /var/log/honeypots/ssh.log
{'timestamp': '2022-01-24T19:29:12.334929', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '22', 'username': 'root', 'password': '123456', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:29:55.371746', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50970', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:03.875390', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:08.544179', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:09.520196', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:10.288140', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'} I pushed the 0.41, let me know if works! |
Thank you! Ports open and logs are written as expected! Just started testing and noticed that src / dest reversed, but not always or for all honeypots (process reports correctly, connection gets logged reversed):
Example that logging generally works with the issue src / dest being reversed:
Another reversed example:
Another thing I noticed, especially for SMTP, it would add so much more value, if all generated data, i.e. SMTP input commands and data would be logged and ideally with session awareness. There is so much more data right at the fingertips that could be used 😅 |
Great! Glad they are working!
Yes, this the initialization info msg, the telnet honeypot is getting initialized
And, this one means there is a current connection
But, I added True! I can look at the old honeypots code and add the capabilities of SMTP and other honeypots (I was only focusing on logging the username and password). I have added this note to my I just pushed 0.42 which should show |
Thank you! Looking at a current brute force attempt coming from
According to the logs the attacker's source IP is currently logged as I was unclear what I meant with "reverse", sorry. |
Hey @t3chn0m4g3 :) No worries at all, my bad, I fixed that in 0.46 and added more features:
here is an example for tpot with {
"logs":"file,terminal,json,tpot",
"logs_location":"/var/log/honeypots/",
"syslog_address":"",
"syslog_facility":0,
"postgres":"",
"db_options":[],
"filter":"",
"interface":"",
"honeypots":{
"ftp":{
"port":21,
"ip":"0.0.0.0",
"username":"ftp",
"password":"anonymous",
"log_file_name":"ftp.log",
"max_bytes":10000,
"backup_count":10
}
},
"custom_filter":{
"honeypots":{
"change":{
"server":"protocol"
},
"contains":[
"protocol",
"action",
"src_ip",
"src_port",
"dest_ip",
"dest_port"
],
"remove":[],
"options":[
"remove_errors",
"remove_init",
"remove_word_server"
]
}
}
}
Here is a test with the tpot.txt config file $ sudo -E python3 -m honeypots --setup all --config '/home/test/Desktop/tpot.txt'
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] config.json file overrides --ip, --port, --username and --password
[x] Everything looks good!
$ tail /var/log/honeypots/ftp.log
{'timestamp': '2022-01-27T00:31:21.465789', 'action': 'login', 'status': 'failed', 'src_ip': '127.0.0.1', 'src_port': '44522', 'dest_ip': '0.0.0.0', 'dest_port': '21', 'username': 'w', 'password': 'w', 'protocol': 'ftp'} Here is the new config file for tpot.txt [updated 27/1/2022] Let me know if that helps! |
This is perfect! Thank you, works as expected! |
@t3chn0m4g3 Awesome, that's absolutely perfect, and I love the dashboard!!! (Haha, no one saw the IPs.. except me) If you encounter any issues in this project or other projects, please let me know (I will start adding the stripped capabilities from STMP and other honeypots in the next month or so). P.S. I pinned this issue because I feel that some of the honeypots users will contact me in the next few days asking about the new msg format. |
What can I say... I guess it was a little bit too late (or early in the morning) 😄
Sound awesome. Thank you :) |
I added that a few months ago but totally forgot to mention it to you! You can add ...
"http":{
"port":80,
"ip":"0.0.0.0",
"username":"admin",
"password":"admin",
"log_file_name":"http.log",
"max_bytes":10000,
"backup_count":10,
"options":["fix_get_client_ip","capture_commands"]
}
... Or you can add :) |
Awesome! Will check it out ASAP! |
Everything is functioning excellently. However, I’m seeking one additional feature: the ability to add fields, complementing the existing option to remove them. Specifically, I’d like to introduce a field named ‘tenant’ and populate it with the customer’s name.
|
Any chance you could support native JSON file logging? This would make ingesting into the ELK stack a lot more straight forward.
Currently there already is a JSON message part of the logs ...
... but having this type of format would be very helpful
In my fork I adjusted all honeypots accordingly as a PoC if you are looking for samples.
The text was updated successfully, but these errors were encountered: