foospidy / honeypy Goto Github PK
View Code? Open in Web Editor NEWA low to medium interaction honeypot.
License: GNU General Public License v2.0
A low to medium interaction honeypot.
License: GNU General Public License v2.0
Make field names configurable. For example when sending events to ELK.
Debain => Debian
I attempted to install via downloading version 0.5.2 and running it I also tried using the HoneyPyPi script and in both cases I am getting the same issues when running the following the initial setup:
./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
Traceback (most recent call last):
File "Honey.py", line 113, in <module>
plugin = importlib.import_module(plugin_module)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/opt/HoneyPy-0.5.2/plugins/TelnetUnix/__init__.py", line 5, in <module>
from TelnetUnix import pluginFactory
File "/opt/HoneyPy-0.5.2/plugins/TelnetUnix/TelnetUnix.py", line 11, in <module>
from clilib import *
ImportError: No module named clilib
Hello
p.s. Can't find your email so I created issue here
I aggressively queried the address and an IP close to mine appeared on twitter bot.
Checking the honeydb page I can't go to Firyx report page: Does Firyx tab link work?
I've a issue starting TelnetUnix plugin.
My etc/services.cfg
[Telnet]
plugin = TelnetDebian7
low_port = tcp:23
port = tcp:10009
description = Emulate Debian telnet login vai tcp.
enabled = No
[TelnetUnix]
plugin = TelnetUnix
low_port = tcp:23
port = tcp:10009
description = Emulate Unix telnet login vai tcp.
enabled = Yes
python Honey.py
Your service configuration suggests that you want to run on at least one low port!
To enable port redirection run the following ipt-kit (https://github.com/foospidy/ipt-kit) commands as root:
./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
Traceback (most recent call last):
File "Honey.py", line 78, in
plugin = importlib.import_module(plugin_module)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/root/HoneyPy/plugins/TelnetUnix/init.py", line 5, in
from TelnetUnix import pluginFactory
File "/root/HoneyPy/plugins/TelnetUnix/TelnetUnix.py", line 11, in
from clilib import *
File "/usr/local/lib/python2.7/dist-packages/clilib-0.0.0-py2.7.egg/clilib/init.py", line 14, in
from clilib import *
File "/usr/local/lib/python2.7/dist-packages/clilib-0.0.0-py2.7.egg/clilib/clilib.py", line 10, in
from unix import *
ImportError: No module named unix
Looks like riskdiscovery is having issues with submissions. I have disabled it on my config for the time being since it appears to cause the honeypot to lockup.
honeypy_logtail current requires editing to incorporate new loggers.
An alternate approach would be to iterate through each section in honeypy.cfg, and pass the line and the relevant section options to a function residing in loggers.
This would keep all the loggers code in the loggers folder.
I'd be happy to work on this if it a useful change.
Simply process a test logline, to check loggers are working.
The date_time field is in the wrong format for kibana to automatically format as a date. It will consequently only use the date field for datetime and all docs end up being displayed as occurring at the same time.
I managed to work around this by modifying the the lib/honeypy_elasticsearch.py file. I added "from datetime import datetime" and added this line within the post_elasticsearch function:
date_time = datetime.strptime(date_time,"%Y-%m-%d %H:%M:%S").isoformat()
timeout is currently hardcoded in each logger, move the time out to the main config.
Need to improve exception handling or log messages that get parsed by honeypy_log_triage.py.
Example log message that ends up in tweets
>>> line=" details: {u'errors': [{u'message': u'User is over daily status update limit.', u'code': 185}]}"
>>> parts=line.split()
>>> pprint.pprint(parts)
['details:',
"{u'errors':",
"[{u'message':",
"u'User",
'is',
'over',
'daily',
'status',
'update',
"limit.',",
"u'code':",
'185}]}']```
Temporary "hacky" fix in this commit https://github.com/foospidy/HoneyPy/commit/e68d84e243d4cac7e837e711730f866eef6aecb9
Adding an option for sending HoneyPy logs to a Splunk instance would be fantastic :)
Splunk handles json well by default so I imagine a modification of the file logger would do the trick.
Here's an example of sending json to Splunk using their HTTP Event Collector (basically an endpoint that accepts input data) https://www.garysieling.com/blog/send-json-data-splunk-cloud-python. Only additional data that would need to be added is the Splunk host, index, source, and sourcetype - which could be specified in the config file
I was editing plugin file for example:
https://github.com/foospidy/HoneyPy/blob/master/plugins/TelnetDebian7/TelnetDebian7.py
I wanted some log to be created at connection close event but didnt found any sample function which is doing this. May I know if there is a event generated for connection close event ? Or some addition can be done to get this event generated ?
Just wondering how much interest there would be in being able to activate multiple service profiles.
This would enable combing base services with functional service, such as WindowsServer+MSSQL, Linux+Apache+MYSQL.
The approaches I have thought about are :
1 - stop using services.cfg and list the active service profiles in honey.cfg
Honey.py can iterate through the described services
this would allow for service profiles to be commented in/out pretty easy
[Services]
services.windows.profile
services.mssql.profile
//service.foo.profile
2 - stop using service.cfg and instead use a folder etc/active
Honey.py can read any file in etc/active, this would allow for symlinks from etc/profile
I would like to improve the developer documentation and got something like this in mind:
Plugins
section already)What do you think? Is there something else to include?
Furthermore: Are there any information on how to build loggers already? If yes, where can I find them?
Regards and thanks for accepting my last pull-request,
Noah ๐
What do you think about introducing a quickstart-section in the projects README.md
? Something like:
git clone [...]
cd [...]
pipenv install && pipenv run ./Honey.py
.. with some additional words of explanation?
https://www.csirtg.io is a service where users can create Feeds and submit their honeypot IOCs or otherwise curated IOC data, other users can subscribe to feeds, query them, etc.
Having an output to optionally submit HoneyPy activity to a users specific CSIRTG.io feed would be awesome.
Sort similar idea to the Twitter Collections ticket, except csirtg is meant for creating shareable threat feeds :)
Some more info here on them:
pip install reqeusts
should be
pip install requests
Probably not an issue.
Reorganizing logger directory
I would like to start the discussion around reorganizing the /lib/ directory to be more like the plugins directory.
I suggest using the same directory structure as /plugins/, eg:
Pros:
Cons:
I can make this into a pull request if this is of interest. Please comment and give feedback on this.
Since Twisted version 17.1.0 released in February 2017, twisted.protocols.telnet got removed in favor of twisted.conch.telnet.
So now, upon trying to launch HoneyPy with a bigger version of Twisted, we are welcomed with:
Traceback (most recent call last):
File "Honey.py", line 121, in <module>
plugin = importlib.import_module(plugin_module)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/share/honeypy-git/plugins/TelnetUnix/__init__.py", line 5, in <module>
from TelnetUnix import pluginFactory
File "/usr/share/honeypy-git/plugins/TelnetUnix/TelnetUnix.py", line 10, in <module>
from twisted.protocols.telnet import *
ImportError: No module named telnet
Have you thought of adding an addon for submitting to dshield along with honeydb?
list currently show the configured active services, it would be useful to show enabled loggers.
We're using a different date/timestamp format to the default provided by HoneyPy, which has meant some rejigging of the logger code local to us. It's horrible and I'll never submit it back.
It would be good if we could find a way to support multiple types of date/timestamp format.
The default: %Y-%m-%d %H:%M:%S,%L,%z && "%Y-%m-%d %H:%M:%S,%f,"
ours: %Y-%m-%dT%H:%M:%S,%L,%z && "%Y-%m-%dT%H:%M:%S,%f,"
The problem comes when we call honeypy_logtail.py and uses the split function on the logline. In my example above we have replaced the space with a 'T' character, so the logger's element ordering is knocked off.
My thinking is rather than fix for just this use case we should fix in a format agnostic way.
I'm using "TelnetDebian7" plugin with the last version of HoneyPy on Ubuntu 14.04.2 LTS (twistd 13.2.0). I've two issus:
admin$ exit
admin$ Connection closed by foreign host.
I've tried using HoneyPy on my RaspberryPi, with the following command:
python3 Honey.py (you can see the screenshot i took http://imgur.com/O19QdEY)
I don't know what's the problem, I'm not used with python but I checked the code and found nothing.
Provide a new option, in the main honeypy config section, to specify a list of ip addresses.
If a service is probed by one of these white-listed IPs, logging i suppressed.
This will help organisations which use vulnerability scanners such as Nessus, or Security Center from generating false positives every scan.
I really like the Tweet option so we can share with our community what our honeypot sees, though I also don't want it to flood my timeline and over take normal communications.
Twitter offers "Collections", which are curated groups of related Tweets, all gathered under one URL. Twitter provides this as an example of a Collection
TL;DR:
Thoughts @foospidy? :)
Relevant API calls:
Today my log filled-up with:
[plugins.HashCountRandom.HashCountRandom.pluginFactory] Could not accept new connection (EMFILE)
some suggest to raise the ulimit or sysctl limits, but queueing requests until resources become available. Any suggestions for the best fix ?
On January 1st 2020 Python 2.7 will reach EOL and pip will also drop Py2.7 support. Are you planning on upgrading to Python 3.x?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.