Native JSON logging [Fixed, and changed output format]
t3chn0m4g3 opened this issue Β· 17 comments
t3chn0m4g3 commented
Any chance you could support native JSON file logging? This would make ingesting into the ELK stack a lot more straight forward.
Currently there already is a JSON message part of the logs ...
[2022-01-21 11:24:16,395] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 54161, 'username': 'adm', 'password': 'test'}]
[2022-01-21 11:24:17,055] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'ip': '1.2.3.4', 'port': 44822}]
[2022-01-21 11:24:17,762] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 44822, 'username': 'bob', 'password': 'bob'}]
... but having this type of format would be very helpful
{"timestamp": "2022-01-21T11:19:41.948469Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:43.350640Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22, "username": "demo", "password": "password"}
{"timestamp": "2022-01-21T11:19:44.047591Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:46.211620Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22, "username": "root", "password": "administrator"}
In my fork I adjusted all honeypots accordingly as a PoC if you are looking for samples.
giga-a commented
Hey @t3chn0m4g3!
Yes, I can support native JSON file logging.
I'm working on it.. :)
t3chn0m4g3 commented
Awesome, looking forward to it :)
giga-a commented
Okay!
- Added the ISO timestamp to output
- Added dst_ip, and dst_port to all honeypots
- Added one wrapper that changes
servertoprotocol - All the output is native JSON (terminal, file, and syslog)
pip3 install honeypots==0.40
pip3 install honeypots[test]==0.40import honeypots
from time import sleep
for server, cls in honeypots.__dict__.items():
if server.endswith('Server'):
print("Start testing {}".format(server))
temp_server = cls(ip='172.17.0.1')
temp_server.run_server(process=True, auto=True)
sleep(2)
temp_server.test_server()
temp_server.kill_server()
print("Done testing {}".format(server))
honeypots.clean_all()Start testing QDNSServer
{"action": "process", "protocol": "dns", "src_ip": "172.17.0.1", "src_port": "48219", "status": "success", "timestamp": "2022-01-22T03:46:07.236534"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "48219", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.257576"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "48219", "payload": "<A address=93.184.216.34 ttl=9760>", "protocol": "dns", "src_ip": "192.168.0.15", "src_port": "40405", "timestamp": "2022-01-22T03:46:09.258078"}
Done testing QDNSServer
Start testing QFTPServer
{"action": "process", "password": "test", "protocol": "ftp", "src_ip": "172.17.0.1", "src_port": "37849", "status": "success", "timestamp": "2022-01-22T03:46:09.307283", "username": "test"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37849", "password": "test", "protocol": "ftp", "src_ip": "192.168.0.15", "src_port": "37562", "status": "success", "timestamp": "2022-01-22T03:46:11.315935", "username": "test"}
Done testing QFTPServer
Start testing QHTTPProxyServer
{"action": "process", "protocol": "http_proxy", "src_ip": "172.17.0.1", "src_port": "44331", "status": "success", "timestamp": "2022-01-22T03:46:11.364338"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "44331", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.372712"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "44331", "payload": "yahoo.com", "protocol": "http_proxy", "src_ip": "192.168.0.15", "src_port": "37910", "timestamp": "2022-01-22T03:46:13.373067"}
Done testing QHTTPProxyServer
Start testing QHTTPServer
{"action": "process", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:14.188397", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197069"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.197296"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:38941", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/login.html"}, "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200447"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "38941", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "timestamp": "2022-01-22T03:46:16.200583"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "38941", "password": "test", "protocol": "http", "src_ip": "172.17.0.1", "src_port": "38941", "status": "success", "timestamp": "2022-01-22T03:46:16.200763", "username": "test"}
Done testing QHTTPServer
Start testing QHTTPSServer
{"action": "process", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:16.244015", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "GET", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261230"}
{"action": "GET", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.261458"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "request": {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded", "Host": "172.17.0.1:35595", "User-Agent": "python-requests/2.27.1", "method": "POST", "uri": "/"}, "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274140"}
{"action": "POST", "dst_ip": "172.17.0.1", "dst_port": "35595", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "timestamp": "2022-01-22T03:46:18.274257"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "35595", "password": "test", "protocol": "https", "src_ip": "172.17.0.1", "src_port": "35595", "status": "success", "timestamp": "2022-01-22T03:46:18.274401", "username": "test"}
Done testing QHTTPSServer
Start testing QSMBServer
{"action": "process", "folders": "", "password": "test", "protocol": "smb", "src_ip": "172.17.0.1", "src_port": "56551", "status": "success", "timestamp": "2022-01-22T03:46:18.320754", "username": "test"}
{"action": "connection", "msg": "Incoming connection (192.168.0.15,39082)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.323695"}
{"action": "connection", "msg": "AUTHENTICATE_MESSAGE (\\test,)", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339748"}
{"action": "connection", "msg": "User \\test authenticated successfully", "protocol": "smb", "timestamp": "2022-01-22T03:46:20.339984"}
Done testing QSMBServer
Start testing QSMTPServer
{"action": "process", "password": "test", "protocol": "smtp", "src_ip": "172.17.0.1", "src_port": "50453", "status": "success", "timestamp": "2022-01-22T03:46:20.384605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "50453", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "timestamp": "2022-01-22T03:46:22.392849"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "50453", "password": "test", "protocol": "smtp", "src_ip": "192.168.0.15", "src_port": "35970", "status": "success", "timestamp": "2022-01-22T03:46:22.394828", "username": "test"}
Done testing QSMTPServer
Start testing QSSHServer
{"action": "process", "password": "test", "protocol": "ssh", "src_ip": "172.17.0.1", "src_port": "49757", "status": "success", "timestamp": "2022-01-22T03:46:22.439677", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "49757", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "timestamp": "2022-01-22T03:46:24.443775"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "49757", "password": "test", "protocol": "ssh", "src_ip": "192.168.0.15", "src_port": "58442", "status": "success", "timestamp": "2022-01-22T03:46:24.454809", "username": "test"}
Authentication failed.
Done testing QSSHServer
Start testing QTelnetServer
{"action": "process", "password": "test", "protocol": "telnet", "src_ip": "172.17.0.1", "src_port": "39479", "status": "success", "timestamp": "2022-01-22T03:46:24.498269", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "39479", "protocol": "telnet", "src_ip": "192.168.0.15", "src_port": "60446", "timestamp": "2022-01-22T03:46:26.505243"}
Done testing QTelnetServer
Start testing QPOP3Server
{"action": "process", "password": "test", "protocol": "pop3", "src_ip": "172.17.0.1", "src_port": "41969", "status": "success", "timestamp": "2022-01-22T03:46:26.551721", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "41969", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "timestamp": "2022-01-22T03:46:28.557634"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "41969", "password": "test", "protocol": "pop3", "src_ip": "192.168.0.15", "src_port": "55320", "status": "success", "timestamp": "2022-01-22T03:46:28.559334", "username": "test"}
Done testing QPOP3Server
Start testing QSOCKS5Server
{"action": "process", "password": "test", "protocol": "socks5", "src_ip": "172.17.0.1", "src_port": "37097", "status": "success", "timestamp": "2022-01-22T03:46:28.606605", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "37097", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "timestamp": "2022-01-22T03:46:30.612379"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "37097", "password": "test", "protocol": "socks5", "src_ip": "192.168.0.15", "src_port": "54262", "status": "success", "timestamp": "2022-01-22T03:46:30.613297", "username": "test"}
Done testing QSOCKS5Server
Start testing QPostgresServer
{"action": "process", "password": "test", "protocol": "postgres", "src_ip": "172.17.0.1", "src_port": "43673", "status": "success", "timestamp": "2022-01-22T03:46:30.666260", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43673", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "timestamp": "2022-01-22T03:46:32.670760"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43673", "password": "test", "protocol": "postgres", "src_ip": "192.168.0.15", "src_port": "47726", "status": "success", "timestamp": "2022-01-22T03:46:32.672212", "username": "test"}
Done testing QPostgresServer
Start testing QIMAPServer
{"action": "process", "password": "test", "protocol": "imap", "src_ip": "172.17.0.1", "src_port": "42407", "status": "success", "timestamp": "2022-01-22T03:46:32.717512", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "42407", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "timestamp": "2022-01-22T03:46:34.727452"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "42407", "password": "test", "protocol": "imap", "src_ip": "192.168.0.15", "src_port": "53392", "status": "success", "timestamp": "2022-01-22T03:46:34.729479", "username": "test"}
Done testing QIMAPServer
Start testing QRedisServer
{"action": "process", "password": "test", "protocol": "redis", "src_ip": "172.17.0.1", "src_port": "59159", "status": "success", "timestamp": "2022-01-22T03:46:34.792641", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "59159", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "timestamp": "2022-01-22T03:46:36.814495"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "59159", "password": "test", "protocol": "redis", "src_ip": "192.168.0.15", "src_port": "37956", "status": "success", "timestamp": "2022-01-22T03:46:36.815203", "username": "test"}
Done testing QRedisServer
Start testing QMysqlServer
{"action": "process", "password": "test", "protocol": "mysql", "src_ip": "172.17.0.1", "src_port": "48059", "status": "success", "timestamp": "2022-01-22T03:46:36.862184", "username": "test"}
{"action": "connection", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "timestamp": "2022-01-22T03:46:38.889361"}
{"action": "login", "password": "test", "protocol": "mysql", "src_ip": "192.168.0.15", "src_port": "53012", "status": "success", "timestamp": "2022-01-22T03:46:38.891153", "username": "test"}
Done testing QMysqlServer
Start testing QMSSQLServer
{"action": "process", "password": "test", "protocol": "mssql", "src_ip": "172.17.0.1", "src_port": "45141", "status": "success", "timestamp": "2022-01-22T03:46:38.939657", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "45141", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "timestamp": "2022-01-22T03:46:40.949323"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "45141", "password": "test", "protocol": "mssql", "src_ip": "192.168.0.15", "src_port": "57128", "status": "success", "timestamp": "2022-01-22T03:46:40.950085", "username": "test"}
Done testing QMSSQLServer
Start testing QElasticServer
{"action": "process", "password": "test", "protocol": "elastic", "src_ip": "172.17.0.1", "src_port": "51143", "status": "success", "timestamp": "2022-01-22T03:46:41.003913", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "timestamp": "2022-01-22T03:46:43.053909"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33216", "status": "success", "timestamp": "2022-01-22T03:46:43.054433", "username": "elastic"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "51143", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "timestamp": "2022-01-22T03:46:43.058029"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "51143", "password": "test", "protocol": "elastic", "src_ip": "192.168.0.15", "src_port": "33218", "status": "success", "timestamp": "2022-01-22T03:46:43.058657", "username": "elastic"}
Done testing QElasticServer
Start testing QVNCServer
{"action": "process", "password": "test", "protocol": "vnc", "src_ip": "172.17.0.1", "src_port": "57851", "status": "success", "timestamp": "2022-01-22T03:46:43.102100", "username": "test"}
Done testing QVNCServer
Start testing QLDAPServer
{"action": "process", "password": "test", "protocol": "ldap", "src_ip": "172.17.0.1", "src_port": "40765", "status": "success", "timestamp": "2022-01-22T03:46:45.152067", "username": "test"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "40765", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "timestamp": "2022-01-22T03:46:47.210234"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "40765", "password": "test", "protocol": "ldap", "src_ip": "192.168.0.15", "src_port": "57373", "status": "success", "timestamp": "2022-01-22T03:46:47.211163", "username": "test"}
Done testing QLDAPServer
Start testing QNTPServer
{"action": "process", "protocol": "ntp", "src_ip": "172.17.0.1", "src_port": "36495", "status": "success", "timestamp": "2022-01-22T03:46:47.253987"}
{"action": "connection", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "timestamp": "2022-01-22T03:46:49.257737"}
{"action": "query", "dst_ip": "172.17.0.1", "dst_port": "36495", "mode": "3", "protocol": "ntp", "src_ip": "192.168.0.15", "src_port": "44448", "status": "success", "timestamp": "2022-01-22T03:46:49.258455", "version": "3"}
Done testing QNTPServer
Start testing QMemcacheServer
{"action": "process", "protocol": "memcache", "src_ip": "172.17.0.1", "src_port": "35825", "status": "success", "timestamp": "2022-01-22T03:46:49.306115"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.308398"}
{"action": "stats", "dst_ip": "172.17.0.1", "dst_port": "35825", "protocol": "memcache", "src_ip": "192.168.0.15", "src_port": "46490", "timestamp": "2022-01-22T03:46:51.309034"}
Done testing QMemcacheServer
Start testing QOracleServer
{"action": "process", "protocol": "oracle", "src_ip": "172.17.0.1", "src_port": "43345", "status": "success", "timestamp": "2022-01-22T03:46:51.353859"}
{"action": "connection", "dst_ip": "172.17.0.1", "dst_port": "43345", "protocol": "oracle", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357137"}
{"action": "login", "dst_ip": "172.17.0.1", "dst_port": "43345", "local_user": "xxxxxxxxxxxxxx", "program": "linux_1", "protocol": "oracle", "service_name": "xe", "src_ip": "192.168.0.15", "src_port": "49554", "timestamp": "2022-01-22T03:46:53.357850"}
Done testing QOracleServer
Start testing QSNMPServer
{"action": "process", "protocol": "snmp", "src_ip": "172.17.0.1", "src_port": "52579", "status": "success", "timestamp": "2022-01-22T03:46:53.416258"}
Done testing QSNMPServerI pushed that as honeypots==0.40 - Let me know your thoughts (Is there anything I missed or anything you would like me to add?)
t3chn0m4g3 commented
Awesome. I will be running detailed tests with the ELK stack.
t3chn0m4g3 commented
Just started with the testing and I noticed the following:
- Did the
config.jsonformat change? The config I was using for the previous version worked fine, but it's ignoring the port settings. All honeypot services (--setup all) start up with a dynamic port.
Recreating honeypots ... done
Attaching to honeypots
honeypots | [x] Use [Enter] to exit or python3 -m honeypots --kill
honeypots | [x] config.json file overrides --ip, --port, --username and --password
honeypots | {"action": "process", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "34817", "status": "success", "timestamp": "2022-01-24T16:59:48.930976"}
honeypots | {"action": "process", "password": "anonymous", "protocol": "ftp", "src_ip": "0.0.0.0", "src_port": "53323", "status": "success", "timestamp": "2022-01-24T16:59:48.937545", "username": "ftp"}
honeypots | {"action": "process", "protocol": "http_proxy", "src_ip": "0.0.0.0", "src_port": "36907", "status": "success", "timestamp": "2022-01-24T16:59:48.946403"}
honeypots | {"action": "process", "password": "admin", "protocol": "http", "src_ip": "0.0.0.0", "src_port": "45557", "status": "success", "timestamp": "2022-01-24T16:59:48.955996", "username": "admin"}
honeypots | {"action": "process", "password": "admin", "protocol": "https", "src_ip": "0.0.0.0", "src_port": "58005", "status": "success", "timestamp": "2022-01-24T16:59:48.982523", "username": "admin"}
honeypots | {"action": "process", "password": "123456", "protocol": "imap", "src_ip": "0.0.0.0", "src_port": "37923", "status": "success", "timestamp": "2022-01-24T16:59:49.009122", "username": "root"}
Setting up the port manually on the commad line works fine, but also noticing that the src_port / src_ip should be logged as dest_ip / dest_port. This was probably part of the change from the original ip and port logic.
/opt/honeypots $ python3 honeypots --setup ssh --port 22
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] Parsing honeypot [normal]
{"action": "process", "password": "test", "protocol": "ssh", "src_ip": "0.0.0.0", "src_port": "22", "status": "success", "timestamp": "2022-01-24T17:05:04.396074", "username": "test"}
[x] Everything looks good!
- Having an option to specify a logfile name that can be taken care of easily by logrotate is something that really helps keeping track of logs. The current implementation adds a UUID without a suffix which makes log file management hard to handle on daily basis.
Happy to continue testing, please let me know if the config needs adjustments or it needs to be loaded differently, but I could not see any changes.
giga-a commented
Hey @t3chn0m4g3 :) Thanks for sharing that - and I just fixed all of them.
Did the config.json format change? The config I was using for the previous version worked fine, but it's ignoring the port settings. All honeypot services (--setup all) start up with a dynamic port.
There are a few changes, but the issue was related to this line, when replaced all the 'port' with 'src_port', this one got replaced too..
if var == 'src_port':
setattr(self, 'auto_disabled', True)Setting up the port manually on the commad line works fine, but also noticing that the src_port / src_ip should be logged as dest_ip / dest_port. This was probably part of the change from the original ip and port logic.
My bad, I fixed that
import honeypots
from time import sleep
from pkg_resources import get_distribution
print("Version: ",get_distribution('honeypots').version)
for server, cls in honeypots.__dict__.items():
if server.endswith('Server'):
print("Start testing {}".format(server))
temp_server = cls()
temp_server.run_server(process=True, auto=True)
sleep(2)
temp_server.test_server()
temp_server.kill_server()
print("Done testing {}".format(server))
honeypots.clean_all()
exit()output
Version: 0.41
Start testing QDNSServer
{"action": "process", "dest_ip": "0.0.0.0", "dest_port": "51229", "protocol": "dns", "status": "success", "timestamp": "2022-01-24T19:42:03.399035"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "43297", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.416242"}
{"action": "query", "dest_ip": "127.0.0.1", "dest_port": "43297", "payload": "<A address=93.184.216.34 ttl=5644>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.416472"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "54958", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.532517"}
{"action": "query", "dest_ip": "127.0.0.1", "dest_port": "54958", "payload": "<A address=93.184.216.34 ttl=13561>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.532611"}
{"action": "connection", "dest_ip": "127.0.0.1", "dest_port": "43065", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "51229", "timestamp": "2022-01-24T19:42:05.748014"}
...
...
...
Having an option to specify a logfile name that can be taken care of easily by logrotate is something that really helps keeping track of logs. The current implementation adds a UUID without a suffix which makes log file management hard to handle on daily basis.
I added an option for that, in each honeypot you can specify the log rotate options (file name, max bytes and backup count). The file name gets joined with the logs_location.
Happy to continue testing, please let me know if the config needs adjustments or it needs to be loaded differently, but I could not see any changes.
Here is a new config file based on the one shared
sudo -E python3 -m honeypots --setup all --config config.json{
"logs": "file,terminal,json,tpot",
"logs_location":"/var/log/honeypots/",
"syslog_address": "",
"syslog_facility": 0,
"postgres": "",
"db_options": [],
"filter": "",
"interface": "",
"honeypots": {
"dns": {
"port": 53,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "dns.log",
"max_bytes": 10000,
"backup_count": 10
},
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous",
"log_file_name": "ftp.log",
"max_bytes": 10000,
"backup_count": 10
},
"httpproxy": {
"port": 8080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "httpproxy.log",
"max_bytes": 10000,
"backup_count": 10
},
"http": {
"port": 80,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "http.log",
"max_bytes": 10000,
"backup_count": 10
},
"https": {
"port": 443,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "https.log",
"max_bytes": 10000,
"backup_count": 10
},
"imap": {
"port": 143,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "imap.log",
"max_bytes": 10000,
"backup_count": 10
},
"mysql": {
"port": 3306,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "mysql.log",
"max_bytes": 10000,
"backup_count": 10
},
"pop3": {
"port": 110,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "pop3.log",
"max_bytes": 10000,
"backup_count": 10
},
"postgres": {
"port": 5432,
"ip": "0.0.0.0",
"username": "postgres",
"password": "123456",
"log_file_name": "postgres.log",
"max_bytes": 10000,
"backup_count": 10
},
"redis": {
"port": 6379,
"ip": "0.0.0.0",
"username": "root",
"password": "",
"log_file_name": "redis.log",
"max_bytes": 10000,
"backup_count": 10
},
"smb": {
"port": 445,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "smb.log",
"max_bytes": 10000,
"backup_count": 10
},
"smtp": {
"port": 25,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "smtp.log",
"max_bytes": 10000,
"backup_count": 10
},
"socks5": {
"port": 1080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin",
"log_file_name": "socks5.log",
"max_bytes": 10000,
"backup_count": 10
},
"ssh": {
"port": 22,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "ssh.log",
"max_bytes": 10000,
"backup_count": 10
},
"telnet": {
"port": 23,
"ip": "0.0.0.0",
"username": "root",
"password": "123456",
"log_file_name": "telnet.log",
"max_bytes": 10000,
"backup_count": 10
},
"vnc": {
"port": 5900,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "vnc.log",
"max_bytes": 10000,
"backup_count": 10
},
"elastic": {
"port": 9200,
"ip": "0.0.0.0",
"username": "elastic",
"password": "123456",
"log_file_name": "elastic.log",
"max_bytes": 10000,
"backup_count": 10
},
"mssql": {
"port": 1433,
"ip": "0.0.0.0",
"username": "sa",
"password": "",
"log_file_name": "mssql.log",
"max_bytes": 10000,
"backup_count": 10
},
"ldap": {
"port": 389,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "ldap.log",
"max_bytes": 10000,
"backup_count": 10
},
"ntp": {
"port": 123,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456",
"log_file_name": "ntp.log",
"max_bytes": 10000,
"backup_count": 10
},
"memcache": {
"port": 11211,
"ip": "0.0.0.0",
"username": "admin",
"password": "123456",
"log_file_name": "memcache.log",
"max_bytes": 10000,
"backup_count": 10
},
"oracle": {
"port": 1521,
"ip": "0.0.0.0",
"username": "bi",
"password": "123456",
"log_file_name": "oracle.log",
"max_bytes": 10000,
"backup_count": 10
},
"snmp": {
"port": 161,
"ip": "0.0.0.0",
"username": "privUser",
"password": "123456",
"log_file_name": "snmp.log",
"max_bytes": 10000,
"backup_count": 10
}
}
}List all logs
$ ls -l /var/log/honeypots/
total 88
-rw-r--r-- 1 root root 197 Jan 24 11:29 elastic.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 ftp.log
-rw-r--r-- 1 root root 189 Jan 24 11:29 http.log
-rw-r--r-- 1 root root 155 Jan 24 11:29 httpproxy.log
-rw-r--r-- 1 root root 191 Jan 24 11:29 https.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 imap.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 ldap.log
-rw-r--r-- 1 root root 154 Jan 24 11:29 memcache.log
-rw-r--r-- 1 root root 188 Jan 24 11:29 mssql.log
-rw-r--r-- 1 root root 192 Jan 24 11:29 mysql.log
-rw-r--r-- 1 root root 147 Jan 24 11:29 ntp.log
-rw-r--r-- 1 root root 151 Jan 24 11:29 oracle.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 pop3.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 postgres.log
-rw-r--r-- 1 root root 190 Jan 24 11:29 redis.log
-rw-r--r-- 1 root root 213 Jan 24 11:29 smb.log
-rw-r--r-- 1 root root 189 Jan 24 11:29 smtp.log
-rw-r--r-- 1 root root 148 Jan 24 11:29 snmp.log
-rw-r--r-- 1 root root 193 Jan 24 11:29 socks5.log
-rw-r--r-- 1 root root 1243 Jan 24 11:30 ssh.log
-rw-r--r-- 1 root root 191 Jan 24 11:29 telnet.log
-rw-r--r-- 1 root root 199 Jan 24 11:29 vnc.logCheck ssh logs
tail /var/log/honeypots/ssh.log
{'timestamp': '2022-01-24T19:29:12.334929', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '22', 'username': 'root', 'password': '123456', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:29:55.371746', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50970', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:03.875390', 'action': 'connection', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:08.544179', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:09.520196', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}
{'timestamp': '2022-01-24T19:30:10.288140', 'action': 'login', 'status': 'failed', 'dest_ip': '127.0.0.1', 'dest_port': '50972', 'src_ip': '0.0.0.0', 'src_port': '22', 'username': 'test', 'password': 'test', 'protocol': 'ssh'}I pushed the 0.41, let me know if works!
t3chn0m4g3 commented
Thank you! Ports open and logs are written as expected!
Just started testing and noticed that src / dest reversed, but not always or for all honeypots (process reports correctly, connection gets logged reversed):
{'timestamp': '2022-01-25T13:30:12.293001', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '23', 'username': 'root', 'password': '123456', 'protocol': 'telnet'}
{'timestamp': '2022-01-25T13:31:34.356248', 'action': 'connection', 'dest_ip': 'xxx.111.57.179', 'dest_port': '42120', 'src_ip': '0.0.0.0', 'src_port': '23', 'protocol': 'telnet'}
Example that logging generally works with the issue src / dest being reversed:
{'timestamp': '2022-01-25T13:30:11.948180', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '80', 'username': 'admin', 'password': 'admin', 'protocol': 'http'}
{'timestamp': '2022-01-25T13:35:59.999349', 'action': 'connection', 'dest_ip': '192.168.112.2', 'dest_port': '80', 'src_ip': '0.0.0.0', 'src_port': '80', 'request': {'Host': 'xxx.150.231.74:80', 'User-Agent': 'Linux Gnu (cow)', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-GB,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'method': 'GET', 'uri': '/'}, 'protocol': 'http'}
{'timestamp': '2022-01-25T13:35:59.999863', 'action': 'GET', 'dest_ip': '192.168.112.2', 'dest_port': '80', 'src_ip': '0.0.0.0', 'src_port': '80', 'protocol': 'http'}
Another reversed example:
{"action": "query", "dest_ip": "xxx.189.30.129", "dest_port": "59945", "payload": "<UNKNOWN data='\\x00/\\x07\\x02\\x00\\x00\\x0e\\x10a\\x87k\\xeb_\\xa6*[\\xebR\\x08pizzaseo\\x03com\\x00\\xc1\\xa4\\x1e~r\\xf7\\x00\\x90\\xc5\\xd9:\\x02\\xd8\\xea\\x1e\\x1aK\\xab\\xe4\\xe4\\xf0\\xb9\\x95U[3\\xbd\\xf0K\\x16b\\xee\\xe5\\xe7\\x8d\\xc3\\x16\\x19\\xf69\\x8a\\x02|\\xa5\\x89\\xed\\x1cj\\x00\\xdf\\nd^\\xa3B\\xe0\\xc20ir\\x0b\\xa2\\xd3\\x11\\xb8\\x14~\\x0c\\xc3\\xdf\\xb2\\xa8\\x18\\xe88\\xa5\\xb8\\x9d\\x04\\x88\\x04C2\\x00+\\xcc\\xa7p)\\xa2\\xc0f=\\xb8}\\xc3\\x80\\xd4\\x1c}\\x17\\x14\\xd6\\xb47b\\xd9~\\x90SBQ\\xa45F9\\x08\\xd8\\xc2\\x97\\xda\\x98\\xce\\xe6\\xaegc\\xc8\\x8c\\x06 \\x08(\\t\\xa1\\xd8\\xcb\\x89\\xdf\\x07\\x07\\xcfy`\"\\xe5\\xb1\\x06\\xb4\\xe6_\\xc4\\xc0\\xe14O\\xc4\\xaa\\xca;_V\\x01Gm\\x95\\xefV\\xe5\\x98\\x198\\x9b\\xf2<\\xab1\\xe8\\rRN\\x85\\xe5\\xd8\\xf2\\x08\\xae\\x03bt\\xe2$\\x04\\xf6g\\xd7\\x1e\\xc4\\xd0(7\\xc6*\\'\\x0cP\\\\\\x93cZ\\x9205\\xdf2\\xb8\\xca>O\\xb4\\x8b\\xe3U\\x8d\\x95\\x05\\xa2\\xd1\\xf1eh\\xbakj\\x94\\x11\\x19CMz\\x98\\xc9\\xdc\\xfb\\x91\\x8c\\xd75\\xf3\\xd8\\x82\\x02\\x87\\xdc\\'\\xc7\\xc9\\x83_\\xff\\x95\\x88\\xce\\nZ\\xa2\\xe3\\xdb\\x1d\\x87\\xe8\\x8c\\xfe0\\x16k\\x14\\xc4ADh\\xc8\\xe50s%\\x1b\\x0b\\x8a\\xd7*\\x1f-\\xed\\x91l\\x9c\\xa1\\xc8X\\xdf\\x11\\xc7x\\x8d\\x8e\\x91\\xf5|\\xa8\\xbd\\xcav\\xc8\\xa1\\x99\\xeb7\\x10\\x91\\xfc\\xb4\\x0e\\xd0\\'f\\xdfH\\xc5Re\\xe18e\\x07F\\xe1\\x17@\\x05\\xf8\\xda9h\\xa5E\\x12y@D\\x04\\xf9\\\\6isf)S\\xe5\\x18q\\xc6\\xe8\\xf3j\\x9bv\\x8e\\xa1\\xe4;!x\\xd1\\xe5\\x94Q\\x06\\xf3\\t\\xef\\xc5P\\x07;A\\x99\\xfd\\x00\\xc55\\x0f\\x99\\xb05\\xfe\\x0f\\x01\\x15I\\x00\\xadK\\xea\\xe3\\xb3\\xa0\\x11_\\xd7\\xc0\\x89\\x90S\\xf9\\xb5\\xd9\"\"Z\\xdb\\xa3\\x8f\\xab\\xfa\\xa3\\x86\\x12$h\\x85\\xb1\\x11\\xf93\\x9e\\xd7b\\xec\\xd4\\x84yA\\n\\xb2\\xc7f\\xb3\\xb7\\x91\\x1c?O:h\\x94xF\\x8dh\\xb8\\xf0~\\x19\\xdcy\\xd3\\xac\\xa2\\xa4z*\\xa8d\\xc47\\x17\\x85\\xb3.nc\\x94.9\\xb3a\\xc6\\x17\\xb2}k\\x15k\\xa0\\xe3\\xd5\\x04\\t\\xd8\\xfchj0A\\xf5\\xa3{\\xf5vm' ttl=3240>", "protocol": "dns", "src_ip": "0.0.0.0", "src_port": "53", "timestamp": "2022-01-25T16:17:47.141234"}
Another thing I noticed, especially for SMTP, it would add so much more value, if all generated data, i.e. SMTP input commands and data would be logged and ideally with session awareness. There is so much more data right at the fingertips that could be used π
giga-a commented
Great! Glad they are working!
Just started testing and noticed that src / dest reversed, but not always or for all honeypots (process reports correctly, connection gets logged reversed)
Yes, this the initialization info msg, the telnet honeypot is getting initialized 'action': 'process', in this case it's running successfully 'status': 'success', If there is an issue it will show 'status': 'error' (No connections at this point, just info that's why there was no src_ip src_port).
{'timestamp': '2022-01-25T13:30:12.293001', 'action': 'process', 'status': 'success', 'dest_ip': '0.0.0.0', 'dest_port': '23', 'username': 'root', 'password': '123456', 'protocol': 'telnet'}
And, this one means there is a current connection
{'timestamp': '2022-01-25T13:31:34.356248', 'action': 'connection', 'dest_ip': 'xxx.111.57.179', 'dest_port': '42120', 'src_ip': '0.0.0.0', 'src_port': '23', 'protocol': 'telnet'}
But, I added "src_ip": "0.0.0.0", "src_port": "0" to all of them, so all the output have src_ip src_port dest_ip dest_port
True! I can look at the old honeypots code and add the capabilities of SMTP and other honeypots (I was only focusing on logging the username and password). I have added this note to my To do list, and hopefully I start working on it soon!
I just pushed 0.42 which should show src_ip src_port dest_ip dest_port and fixed the smb one! π π π π
t3chn0m4g3 commented
Thank you!
Looking at a current brute force attempt coming from 122.186.xx.yy:
{'timestamp': '2022-01-26T11:38:39.659063', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56362', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'password1', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:40.964431', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56434', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'r00t', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:42.288664', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56525', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'tomcat', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:43.597683', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56631', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': '5201314', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:45.777623', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56730', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'system', 'protocol': 'ftp'}
{'timestamp': '2022-01-26T11:38:47.046771', 'action': 'login', 'status': 'failed', 'dest_ip': '122.186.xx.yy', 'dest_port': '56869', 'src_ip': '0.0.0.0', 'src_port': '21', 'username': 'test', 'password': 'pass', 'protocol': 'ftp'}
According to the logs the attacker's source IP is currently logged as 'dest_ip': '122.186.xx.yy', but this should be logged as 'src_ip': '122.186.xx.yy'. The attacker's source port is usually a high port which should be logged as 'src_port':'56869'. The destination port is always the service port the honeypot is running on, i.e. 21, 22 or 23, while the destination IP is usually the IP the service is bound / exposed on, i.e. 192.168.23.64.
I was unclear what I meant with "reverse", sorry.
giga-a commented
Hey @t3chn0m4g3 :)
No worries at all, my bad, I fixed that in 0.46 and added more features:
custom_filter, this can be used to filter or alter msg
change{} replace keys of msg with different ones, you can replaceprocesswithprotocolas{"process":"protocol"}and so oncontains[] values that must be in the msg, otherwise the msg will be dismissed. If you have["protocol","action"]then msg mus haveprotocolandactionremove[] values that will be removed from the msg as['protocol','src_ip'].options[]-
remove_errorsremoves all the error msg
-
remove_initremoves all the init msg
-
remove_word_serverthis removes the prefix _server
-
dump_json_to_filethis usesjson.dumps(might not be needed, each line is serialized)
here is an example for tpot with custom_filter
{
"logs":"file,terminal,json,tpot",
"logs_location":"/var/log/honeypots/",
"syslog_address":"",
"syslog_facility":0,
"postgres":"",
"db_options":[],
"filter":"",
"interface":"",
"honeypots":{
"ftp":{
"port":21,
"ip":"0.0.0.0",
"username":"ftp",
"password":"anonymous",
"log_file_name":"ftp.log",
"max_bytes":10000,
"backup_count":10
}
},
"custom_filter":{
"honeypots":{
"change":{
"server":"protocol"
},
"contains":[
"protocol",
"action",
"src_ip",
"src_port",
"dest_ip",
"dest_port"
],
"remove":[],
"options":[
"remove_errors",
"remove_init",
"remove_word_server"
]
}
}
}{"action": "login", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "we", "protocol": "ftp", "src_ip": "127.0.0.1", "src_port": "44640", "status": "failed", "timestamp": "2022-01-27T04:49:48.076218", "username": "w"}
Here is a test with the tpot.txt config file
$ sudo -E python3 -m honeypots --setup all --config '/home/test/Desktop/tpot.txt'
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] config.json file overrides --ip, --port, --username and --password
[x] Everything looks good!{"action": "login", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "w", "protocol": "ftp", "src_ip": "127.0.0.1", "src_port": "44522", "status": "failed", "timestamp": "2022-01-27T00:31:21.465789", "username": "w"}
$ tail /var/log/honeypots/ftp.log
{'timestamp': '2022-01-27T00:31:21.465789', 'action': 'login', 'status': 'failed', 'src_ip': '127.0.0.1', 'src_port': '44522', 'dest_ip': '0.0.0.0', 'dest_port': '21', 'username': 'w', 'password': 'w', 'protocol': 'ftp'}Here is the new config file for tpot.txt [updated 27/1/2022]
Let me know if that helps!
t3chn0m4g3 commented
This is perfect! Thank you, works as expected!
t3chn0m4g3 commented
Here is the result on my end :)
giga-a commented
@t3chn0m4g3 Awesome, that's absolutely perfect, and I love the dashboard!!! (Haha, no one saw the IPs.. except me)
If you encounter any issues in this project or other projects, please let me know (I will start adding the stripped capabilities from STMP and other honeypots in the next month or so).
P.S. I pinned this issue because I feel that some of the honeypots users will contact me in the next few days asking about the new msg format.
t3chn0m4g3 commented
What can I say... I guess it was a little bit too late (or early in the morning) π
@t3chn0m4g3 Awesome, that's absolutely perfect, and I love the dashboard!!! (Haha, no one saw the IPs.. except me)
Sound awesome. Thank you :)
giga-a commented
Another thing I noticed, especially for SMTP, it would add so much more value, if all generated data, i.e. SMTP input commands and data would be logged and ideally with session awareness. There is so much more data right at the fingertips that could be used
I added that a few months ago but totally forgot to mention it to you! You can add capture_commands to all of them and if the honeypot has the capture commands feature, it will be activated (Currently works with QFTPServer, QIMAPServer, QPOP3Server, QSMTPServer, QSIPServer and QIRCServer)
...
"http":{
"port":80,
"ip":"0.0.0.0",
"username":"admin",
"password":"admin",
"log_file_name":"http.log",
"max_bytes":10000,
"backup_count":10,
"options":["fix_get_client_ip","capture_commands"]
}
...Or you can add HONEYPOTS_OPTIONS environment variable with capture_commands
:)
t3chn0m4g3 commented
Awesome! Will check it out ASAP!
Thank you!
jmicjmic commented
Everything is functioning excellently. However, Iβm seeking one additional feature: the ability to add fields, complementing the existing option to remove them. Specifically, Iβd like to introduce a field named βtenantβ and populate it with the customerβs name.
This enhancement would provide me with improved multi-tenant management capabilities in ELK.
Hey @t3chn0m4g3 :)
No worries at all, my bad, I fixed that in 0.46 and added more features:
custom_filter, this can be used to filter or alter msg
change{} replace keys of msg with different ones, you can replaceprocesswithprotocolas{"process":"protocol"}and so oncontains[] values that must be in the msg, otherwise the msg will be dismissed. If you have["protocol","action"]then msg mus haveprotocolandactionremove[] values that will be removed from the msg as['protocol','src_ip'].options[]
remove_errorsremoves all the error msg
remove_initremoves all the init msg
remove_word_serverthis removes the prefix _server
dump_json_to_filethis usesjson.dumps(might not be needed, each line is serialized)