Skip to content

Honeypot

Package name: intrudect-honeypot

Honeypot agent listens on the TCP or UDP ports specified in its configuration, records what clients send, and reports the activity to the central web as an alert. A TCP port can also emulate a service to capture what an attacker attempts.

Configuration

The initial example (not default) configuration for Honeypot can be created in the web UI under Agents > Add new honeypot. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-honeypot/etc/config.json. Once in place, Honeypot will request an updated configuration from the web UI every minute.

Listeners

A listener specifies an IP and the TCPPorts and UDPPorts to monitor. Each TCPPorts entry is an object with a Port and optional Protocol and Banner fields (see TCP port options); UDPPorts is a plain list of port numbers.

"Listeners": [
  {
    "IP": "192.168.1.2",
    "TCPPorts": [
      { "Port": 25,  "Protocol": "smtp" },
      { "Port": 110, "Protocol": "pop3", "Banner": "+OK mycorp POP3 ready\r\n" },
      { "Port": 143, "Protocol": "imap" }
    ],
    "UDPPorts": [
      123,
      161
    ]
  }
]

In this example TCP port 25 emulates SMTP with its default banner, port 110 emulates POP3 with a custom banner, and port 143 emulates IMAP; the UDP ports and any TCP port without a Protocol stay silent.

The IP field controls which local address the listener binds to:

  • an IPv4 literal (192.168.1.2) — that IPv4 address only
  • an IPv6 literal (2001:db8::5) — that IPv6 address only
  • :: or an empty string — all interfaces, both IPv4 and IPv6
  • 0.0.0.0 — all interfaces, IPv4 only

TCP port options

Each TCPPorts entry has a required Port and two optional fields:

  • Protocol — the service to emulate, one of the supported values. Omit it (or set "silent") for a silent port: it accepts the connection and records traffic without answering.
  • Banner — the greeting sent on connect. When empty, a known protocol uses its default banner; when set, it is sent verbatim (use JSON escapes such as \r\n) and overrides the default.
"TCPPorts": [
  { "Port": 9000 },
  { "Port": 22, "Protocol": "ssh" },
  { "Port": 25, "Protocol": "smtp", "Banner": "220 mail.example.com ESMTP\r\n" }
]
Entry Behavior
{ "Port": 9000 } silent — accept and record, send nothing
{ "Port": 9000, "Banner": "..." } send the banner, then record
{ "Port": 25, "Protocol": "smtp" } emulate SMTP with its default banner
{ "Port": 25, "Protocol": "smtp", "Banner": "..." } emulate SMTP with a custom banner

An unsupported Protocol is reported as an agent-health alert and the port stays silent (a custom Banner is still sent). These options apply to TCP ports only; UDPPorts is always a plain list.

Supported protocols

Value Behavior
silent (or "") capture only; show Banner if provided
smtp, pop3, imap, ftp emulate the login exchange and capture attempted credentials
ssh complete an SSH handshake and capture attempted passwords, keyboard-interactive answers and public-key fingerprints
telnet present a login prompt and capture username/password attempts
redis answer RESP commands and capture the AUTH password and abuse commands (CONFIG SET, SLAVEOF, MODULE LOAD, …)
http serve a blank page; capture the request line, path and User-Agent
http-basic-auth answer 401 with a Basic challenge; capture submitted Authorization credentials
http-login serve a fake HTML login form; capture credentials POSTed to it
postgresql, mysql, mssql emulate the database login handshake and capture the attempted username and password
ldap answer BindRequests and capture simple-bind credentials (username and cleartext password)
vnc run the RFB authentication handshake and log the challenge/response pair for offline cracking
smb present an SMB2 server and capture the NetNTLMv2 hash of any account that authenticates (crackable offline; reveals DOMAIN\user)
rdp capture only, no emulation at this time

Emulated login protocols capture the submitted username and password into the alert message where possible. For smb account's NetNTLMv2 response as a hashcat mode-5600 hash (for example SMB: NetNTLMv2 CORP\administrator administrator::CORP:1122334455667788:…), which identifies the account and can be cracked offline.

The http* protocols are request-driven and ignore Banner.

Sessions and alerting

A session is one connection for TCP, or a flow of datagrams from the same source IP:port for UDP. A session ends when:

  • the client closes or resets the connection,
  • the client stops sending (UDP, after UDPIdleSeconds),
  • the capture size limit is reached (MaxCaptureBytes), or
  • the session lifetime is reached (MaxCaptureSeconds).

By default the agent sends one alert per session, emitted when the session ends. This alert carries the number of bytes received, the session duration, and — if SendPCAP is enabled — the captured packets. Set AlertOnConnect to true to additionally receive an immediate alert the moment a session starts, giving two alerts per session (a connect alert with no payload, and a session-end alert with the pcap).

Scan detection

The agent detects TCP SYN scans (half-open connection attempts) and reports them. Probes from the same source are aggregated into a single Honeypot TCP scan alert listing the ports touched, for example TCP SYN scan / half-open connection attempt to 3 port(s): 22, 23, 443. Established connections are reported through the normal per-session alert.

"Level": 30,
"AlertOnConnect": false,
"SendPCAP": true,
"SaveLocalPCAP": false,
"MaxCaptureBytes": 1048576,
"MaxCaptureSeconds": 120,
"UDPIdleSeconds": 30,
"DetectSYNScan": true,
"ExcludeSrcCIDR": ["192.168.1.10", "192.168.2.0/24"]
  • Level — severity assigned to honeypot alerts. Must be 10 (info), 20 (medium) or 30 (high); any other value defaults to 30.
  • AlertOnConnect — when true, send an immediate alert at session start in addition to the session-end alert. Default false (one alert per session).
  • SendPCAP — attach the captured packets to the alert as a PCAP file (both directions, including the TCP handshake).
  • SaveLocalPCAP — also write the packets to a local PCAP file at /opt/intrudect-honeypot/honeypot_<srcip>_<dstip>_<dstport>_<datetime>.pcap. When false, a PCAP written only for transmission is removed a couple of minutes after sending.
  • MaxCaptureBytes — maximum payload and PCAP data collected per session, in bytes; the session is ended and reported when reached. Default 1048576 (1 MB).
  • MaxCaptureSeconds — maximum session lifetime in seconds; the session is cut and reported when reached. Default 120.
  • UDPIdleSeconds — for UDP, the amount of silence after which a session is considered finished and reported. Default 30.
  • DetectSYNScan — report TCP SYN scans; see Scan detection. Default true. Set to false on internet-facing hosts where such scans are constant background traffic.
  • ExcludeSrcCIDR — array of source ranges that are ignored by the honeypot. Each entry is a CIDR (10.0.0.0/8) or a bare IP; a bare IP is treated as /32 for IPv4 or /128 for IPv6. Traffic from a matching source is neither alerted on nor captured.