Begin integration of honeyaml

telekom-security · Oct 18, 2024 · 05461d6 · 05461d6
1 parent c7e6f5a
commit 05461d6
Show file tree

Hide file tree

Showing 18 changed files with 237 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -123,6 +123,7 @@ T-Pot offers docker images for the following honeypots ...
 * [glutton](https://github.com/mushorg/glutton)
 * [hellpot](https://github.com/yunginnanet/HellPot)
 * [heralding](https://github.com/johnnykv/heralding)
+* [honeyaml](https://github.com/mmta/honeyaml)
 * [honeypots](https://github.com/qeeqbox/honeypots)
 * [honeytrap](https://github.com/armedpot/honeytrap/)
 * [ipphoney](https://gitlab.com/bontchev/ipphoney)
@@ -268,6 +269,7 @@ Besides the ports generally needed by the OS, i.e. obtaining a DHCP lease, DNS,
 | 80, 443, 8080, 8443                                                                                                                   | tcp      | incoming  | Honeypot: Galah  (LLM required)                                                                     |
 | 8080                                                                                                                                  | tcp      | incoming  | Honeypot: Go-pot                                                                                    |
 | 21, 22, 23, 25, 80, 110, 143, 443, 993, 995, 1080, 5432, 5900                                                                         | tcp      | incoming  | Honeypot: Heralding                                                                                 |
+| 3000                                                                                                                                  | tcp      | incoming  | Honeypot: Honeyaml                                                                                  |
 | 21, 22, 23, 25, 80, 110, 143, 389, 443, 445, 631, 1080, 1433, 1521, 3306, 3389, 5060, 5432, 5900, 6379, 6667, 8080, 9100, 9200, 11211 | tcp      | incoming  | Honeypot: qHoneypots                                                                                |
 | 53, 123, 161, 5060                                                                                                                    | udp      | incoming  | Honeypot: qHoneypots                                                                                |
 | 631                                                                                                                                   | tcp      | incoming  | Honeypot: IPPHoney                                                                                  |
@@ -784,7 +786,7 @@ The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [galah](https://github.com/0x4D31/galah?tab=Apache-2.0-1-ov-file#readme), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](https://suricata.io/features/open-source/)
 <br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [miniprint](https://github.com/sa7mon/miniprint?tab=GPL-3.0-1-ov-file#readme), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [sentrypeer](https://github.com/SentryPeer/SentryPeer/blob/main/LICENSE.GPL-3.0-only), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [go-pot](https://github.com/ryanolee/go-pot?tab=License-1-ov-file#readme), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE)
-<br>MIT license: [autoheal](https://github.com/willfarrell/docker-autoheal?tab=MIT-1-ov-file#readme), [beelzebub](https://github.com/mariocandela/beelzebub?tab=MIT-1-ov-file#readme), [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
+<br>MIT license: [autoheal](https://github.com/willfarrell/docker-autoheal?tab=MIT-1-ov-file#readme), [beelzebub](https://github.com/mariocandela/beelzebub?tab=MIT-1-ov-file#readme), [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [honeyaml](https://github.com/mmta/honeyaml?tab=MIT-1-ov-file#readme), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
 <br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
 <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/cowrie/cowrie/blob/master/LICENSE.rst), [mailoney](https://github.com/awhitehatter/mailoney), [Elastic License](https://www.elastic.co/licensing/elastic-license), [Wordpot](https://github.com/gbrindisi/wordpot)
 <br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
@@ -817,6 +819,7 @@ Without open source and the development community we are proud to be a part of,
 * [go-pot](https://github.com/ryanolee/go-pot/graphs/contributors)
 * [hellpot](https://github.com/yunginnanet/HellPot/graphs/contributors)
 * [heralding](https://github.com/johnnykv/heralding/graphs/contributors)
+* [honeyaml](https://github.com/mmta/honeyaml/graphs/contributors)
 * [honeypots](https://github.com/qeeqbox/honeypots/graphs/contributors)
 * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors)
 * [ipphoney](https://gitlab.com/bontchev/ipphoney/-/project_members)

diff --git a/compose/llm.yml b/compose/llm.yml
@@ -46,8 +46,6 @@ services:
     depends_on:
       tpotinit:
         condition: service_healthy
-#    cpu_count: 1
-#    cpus: 0.25
     networks:
      - beelzebub_local
     ports:
@@ -74,8 +72,6 @@ services:
     depends_on:
       tpotinit:
         condition: service_healthy
-#    cpu_count: 1
-#    cpus: 0.25
     networks:
      - galah_local
     ports:

diff --git a/compose/mac_win.yml b/compose/mac_win.yml
@@ -10,9 +10,11 @@ networks:
   dionaea_local:
   elasticpot_local:
   heralding_local:
+  honeyaml_local:
   ipphoney_local:
   mailoney_local:
   medpot_local:
+  miniprint_local:
   redishoneypot_local:
   sentrypeer_local:
   suricata_local:
@@ -269,6 +271,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Ipphoney service
   ipphoney:
     container_name: ipphoney
@@ -327,6 +345,24 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
 
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
 # Redishoneypot service
   redishoneypot:
     container_name: redishoneypot

diff --git a/compose/mobile.yml b/compose/mobile.yml
@@ -14,6 +14,7 @@ networks:
   dionaea_local:
   elasticpot_local:
   heralding_local:
+  honeyaml_local:
   ipphoney_local:
   log4pot_local:
   mailoney_local:
@@ -309,6 +310,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Honeytrap service
   honeytrap:
     container_name: honeytrap

diff --git a/compose/sensor.yml b/compose/sensor.yml
@@ -13,6 +13,7 @@ networks:
   dionaea_local:
   elasticpot_local:
   heralding_local:
+  honeyaml_local:
   ipphoney_local:
   mailoney_local:
   medpot_local:
@@ -373,6 +374,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Honeytrap service
   honeytrap:
     container_name: honeytrap

diff --git a/compose/standard.yml b/compose/standard.yml
@@ -13,6 +13,7 @@ networks:
   dionaea_local:
   elasticpot_local:
   heralding_local:
+  honeyaml_local:
   ipphoney_local:
   mailoney_local:
   medpot_local:
@@ -341,6 +342,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Heralding service
   heralding:
     container_name: heralding

diff --git a/compose/tpot_services.yml b/compose/tpot_services.yml
@@ -21,6 +21,7 @@ networks:
   go-pot_local:
   hellpot_local:
   heralding_local:
+  honeyaml_local:
   honeypots_local:
   ipphoney_local:
   log4pot_local:
@@ -515,6 +516,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "8080:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Honeypots service
   honeypots:
     container_name: honeypots

diff --git a/doc/architecture.png b/doc/architecture.png
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,6 +13,7 @@ networks:
   dionaea_local:
   elasticpot_local:
   heralding_local:
+  honeyaml_local:
   ipphoney_local:
   mailoney_local:
   medpot_local:
@@ -341,6 +342,22 @@ services:
     volumes:
      - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
 
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
 # Heralding service
   heralding:
     container_name: heralding
@@ -405,7 +422,8 @@ services:
     networks:
      - ipphoney_local
     ports:
-     - "631:631"
+     - "631:631/udp"
+     - "631:631/tcp"
     image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
     read_only: true

diff --git a/docker/_builder/docker-compose.yml b/docker/_builder/docker-compose.yml
@@ -162,6 +162,15 @@ services:
       context: ../heralding/
       <<: *common-build
 
+# Honeyaml
+  honeyaml:
+    image: ${TPOT_DOCKER_REPO}/honeyaml:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/honeyaml:${TPOT_VERSION}
+      context: ../honeyaml/
+      <<: *common-build
+
 # Honeypots
   honeypots:
     image: ${TPOT_DOCKER_REPO}/honeypots:${TPOT_VERSION}

diff --git a/docker/elk/logstash/dist/http_output.conf b/docker/elk/logstash/dist/http_output.conf
@@ -133,6 +133,13 @@ input {
     type => "Heralding"
   }
 
+# Honeyaml
+  file {
+    path => ["/data/honeyaml/log/honeyaml.log"]
+    codec => json
+    type => "Honeyaml"
+  }
+
 # Honeypots
   file {
     path => ["/data/honeypots/log/*.log"]
@@ -540,6 +547,13 @@ filter {
     }
   }
 
+# Honeyaml
+  if [type] == "Honeyaml" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Honeypots
   if [type] == "Honeypots" {
     date {

diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf
@@ -133,6 +133,13 @@ input {
     type => "Heralding"
   }
 
+# Honeyaml
+  file {
+    path => ["/data/honeyaml/log/honeyaml.log"]
+    codec => json
+    type => "Honeyaml"
+  }
+
 # Honeypots
   file {
     path => ["/data/honeypots/log/*.log"]
@@ -540,6 +547,13 @@ filter {
     }
   }
 
+# Honeyaml
+  if [type] == "Honeyaml" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Honeypots
   if [type] == "Honeypots" {
     date {

diff --git a/docker/elk/map/Dockerfile b/docker/elk/map/Dockerfile
@@ -13,7 +13,7 @@ RUN apk --no-cache -U add \
 # Install from GitHub and setup
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.4 && \
+    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.5 && \
     cd t-pot-attack-map && \
     pip3 install --break-system-packages --upgrade pip && \
     pip3 install --break-system-packages -r requirements.txt && \

diff --git a/docker/go-pot/Dockerfile b/docker/go-pot/Dockerfile
@@ -22,6 +22,8 @@ addgroup -g 2000 go-pot
 adduser -S -s /bin/ash -u 2000 -D -g 2000 go-pot
 EOF
 #
+STOPSIGNAL SIGINT
+USER go-pot:go-pot
 WORKDIR /opt/go-pot
 CMD ["start", "--host", "0.0.0.0", "--config-file", "config.yml"]
 ENTRYPOINT ["./go-pot"]