I've a issue starting TelnetUnix plugin.
My etc/services.cfg

[Telnet]
plugin = TelnetDebian7
low_port = tcp:23
port = tcp:10009
description = Emulate Debian telnet login vai tcp.
enabled = No

[TelnetUnix]
plugin = TelnetUnix
low_port = tcp:23
port = tcp:10009
description = Emulate Unix telnet login vai tcp.
enabled = Yes

python Honey.py
Your service configuration suggests that you want to run on at least one low port!
To enable port redirection run the following ipt-kit (https://github.com/foospidy/ipt-kit) commands as root:

./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
Traceback (most recent call last):
File "Honey.py", line 78, in
plugin = importlib.import_module(plugin_module)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/root/HoneyPy/plugins/TelnetUnix/init.py", line 5, in
from TelnetUnix import pluginFactory
File "/root/HoneyPy/plugins/TelnetUnix/TelnetUnix.py", line 11, in
from clilib import *
File "/usr/local/lib/python2.7/dist-packages/clilib-0.0.0-py2.7.egg/clilib/init.py", line 14, in
from clilib import *
File "/usr/local/lib/python2.7/dist-packages/clilib-0.0.0-py2.7.egg/clilib/clilib.py", line 10, in
from unix import *
ImportError: No module named unix

Simply process a test logline, to check loggers are working.

The date_time field is in the wrong format for kibana to automatically format as a date. It will consequently only use the date field for datetime and all docs end up being displayed as occurring at the same time.

I managed to work around this by modifying the the lib/honeypy_elasticsearch.py file. I added "from datetime import datetime" and added this line within the post_elasticsearch function:

date_time = datetime.strptime(date_time,"%Y-%m-%d %H:%M:%S").isoformat()

We're using a different date/timestamp format to the default provided by HoneyPy, which has meant some rejigging of the logger code local to us. It's horrible and I'll never submit it back.

It would be good if we could find a way to support multiple types of date/timestamp format.

The default: %Y-%m-%d %H:%M:%S,%L,%z && "%Y-%m-%d %H:%M:%S,%f,"
ours: %Y-%m-%dT%H:%M:%S,%L,%z && "%Y-%m-%dT%H:%M:%S,%f,"

The problem comes when we call honeypy_logtail.py and uses the split function on the logline. In my example above we have replaced the space with a 'T' character, so the logger's element ordering is knocked off.

My thinking is rather than fix for just this use case we should fix in a format agnostic way.

I really like the Tweet option so we can share with our community what our honeypot sees, though I also don't want it to flood my timeline and over take normal communications.

Twitter offers "Collections", which are curated groups of related Tweets, all gathered under one URL. Twitter provides this as an example of a Collection

TL;DR:

• It would be great if users could create a Collection and have HoneyPy send their Tweets to that collection so all honeypot related info is available in one space for users.
• Or maybe even all Twitter contributing HoneyDB users could have their tweets added to the same collection so it is a single point for all output from HoneyDB/HoneyPy instances.

Thoughts @foospidy? :)

Relevant API calls:

• Create a Collection: https://developer.twitter.com/en/docs/tweets/curate-a-collection/api-reference/post-collections-create
• Add Tweets to Collection: https://developer.twitter.com/en/docs/tweets/curate-a-collection/api-reference/post-collections-entries-add

Hello

1. I'm curious why all data is encoded in hex?
2. Would it be OK if I add decoding in file logger?

p.s. Can't find your email so I created issue here

Have you thought of adding an addon for submitting to dshield along with honeydb?

Adding an option for sending HoneyPy logs to a Splunk instance would be fantastic :)

Splunk handles json well by default so I imagine a modification of the file logger would do the trick.

Here's an example of sending json to Splunk using their HTTP Event Collector (basically an endpoint that accepts input data) https://www.garysieling.com/blog/send-json-data-splunk-cloud-python. Only additional data that would need to be added is the Splunk host, index, source, and sourcetype - which could be specified in the config file

Provide a new option, in the main honeypy config section, to specify a list of ip addresses.
If a service is probed by one of these white-listed IPs, logging i suppressed.

This will help organisations which use vulnerability scanners such as Nessus, or Security Center from generating false positives every scan.

list currently show the configured active services, it would be useful to show enabled loggers.

I attempted to install via downloading version 0.5.2 and running it I also tried using the HoneyPyPi script and in both cases I am getting the same issues when running the following the initial setup:

./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
Traceback (most recent call last):
  File "Honey.py", line 113, in <module>
    plugin                   = importlib.import_module(plugin_module)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/opt/HoneyPy-0.5.2/plugins/TelnetUnix/__init__.py", line 5, in <module>
    from TelnetUnix import pluginFactory
  File "/opt/HoneyPy-0.5.2/plugins/TelnetUnix/TelnetUnix.py", line 11, in <module>
    from clilib import *
ImportError: No module named clilib

Just wondering how much interest there would be in being able to activate multiple service profiles.
This would enable combing base services with functional service, such as WindowsServer+MSSQL, Linux+Apache+MYSQL.

The approaches I have thought about are :
1 - stop using services.cfg and list the active service profiles in honey.cfg
Honey.py can iterate through the described services
this would allow for service profiles to be commented in/out pretty easy

[Services]
services.windows.profile
services.mssql.profile
//service.foo.profile

2 - stop using service.cfg and instead use a folder etc/active
Honey.py can read any file in etc/active, this would allow for symlinks from etc/profile

What do you think about introducing a quickstart-section in the projects README.md? Something like:

git clone [...]
cd [...]
pipenv install && pipenv run ./Honey.py

.. with some additional words of explanation?

Need to improve exception handling or log messages that get parsed by honeypy_log_triage.py.

Example log message that ends up in tweets

>>> line="        details: {u'errors': [{u'message': u'User is over daily status update limit.', u'code': 185}]}"
>>> parts=line.split()
>>> pprint.pprint(parts)
['details:',
 "{u'errors':",
 "[{u'message':",
 "u'User",
 'is',
 'over',
 'daily',
 'status',
 'update',
 "limit.',",
 "u'code':",
 '185}]}']```

Temporary "hacky" fix in this commit https://github.com/foospidy/HoneyPy/commit/e68d84e243d4cac7e837e711730f866eef6aecb9

I would like to improve the developer documentation and got something like this in mind:

• provide a boilerplate for a new plugin
• provide a boilerplate for a new logger
• explain development of both step by step (like how its done in the Plugins section already)

What do you think? Is there something else to include?

Furthermore: Are there any information on how to build loggers already? If yes, where can I find them?

Regards and thanks for accepting my last pull-request,
Noah 🚀

pip install reqeusts

should be

pip install requests

Probably not an issue.

I'm using "TelnetDebian7" plugin with the last version of HoneyPy on Ubuntu 14.04.2 LTS (twistd 13.2.0). I've two issus:

1. the client need to send a "carriage return" to start the session;
2. after the "exit" command execution the prompt is printed:

admin$ exit
admin$ Connection closed by foreign host.

Reorganizing logger directory

I would like to start the discussion around reorganizing the /lib/ directory to be more like the plugins directory.

• /
  • /lib/
    • __init__.py
    • honeypy_console.py
    • honeypy_twitter.py
    • ...
  • /plugins/
    • __init__.py
    • /Echo/
      • Echo.py
    • /Random/
      • Random.py
    • ...

I suggest using the same directory structure as /plugins/, eg:

• /
  • /loggers/
    • __init__.py
    • /console/
      • honeypy_console.py
    • /twitter/
      • honeypy_twitter.py
    • ...
  • /plugins/
    • __init__.py
    • /Echo/
      • Echo.py
    • /Random/
      • Random.py
    • ...

Pros:

• More descriptive folder name/structure
• Ability to organize files by loggers
• Ability to add README and other documentation to the loggers, without cluttering the /lib/ folder.

Cons:

• More folders

I can make this into a pull request if this is of interest. Please comment and give feedback on this.

https://www.csirtg.io is a service where users can create Feeds and submit their honeypot IOCs or otherwise curated IOC data, other users can subscribe to feeds, query them, etc.

Having an output to optionally submit HoneyPy activity to a users specific CSIRTG.io feed would be awesome.

Sort similar idea to the Twitter Collections ticket, except csirtg is meant for creating shareable threat feeds :)

Some more info here on them:

• https://github.com/csirtgadgets/csirtg/wiki/REST-API
• https://csirtg.io/api/docs/index.html
  @csirtgadgets is their main GitHub account with code example and the like as well

Today my log filled-up with:

[plugins.HashCountRandom.HashCountRandom.pluginFactory] Could not accept new connection (EMFILE)

some suggest to raise the ulimit or sysctl limits, but queueing requests until resources become available. Any suggestions for the best fix ?

Make field names configurable. For example when sending events to ELK.

honeypy_logtail current requires editing to incorporate new loggers.
An alternate approach would be to iterate through each section in honeypy.cfg, and pass the line and the relevant section options to a function residing in loggers.

This would keep all the loggers code in the loggers folder.
I'd be happy to work on this if it a useful change.

I've tried using HoneyPy on my RaspberryPi, with the following command:

python3 Honey.py (you can see the screenshot i took http://imgur.com/O19QdEY)

I don't know what's the problem, I'm not used with python but I checked the code and found nothing.

On January 1st 2020 Python 2.7 will reach EOL and pip will also drop Py2.7 support. Are you planning on upgrading to Python 3.x?

Since Twisted version 17.1.0 released in February 2017, twisted.protocols.telnet got removed in favor of twisted.conch.telnet.

So now, upon trying to launch HoneyPy with a bigger version of Twisted, we are welcomed with:

Traceback (most recent call last):
  File "Honey.py", line 121, in <module>
    plugin = importlib.import_module(plugin_module)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/share/honeypy-git/plugins/TelnetUnix/__init__.py", line 5, in <module>
    from TelnetUnix import pluginFactory
  File "/usr/share/honeypy-git/plugins/TelnetUnix/TelnetUnix.py", line 10, in <module>
    from twisted.protocols.telnet import *
ImportError: No module named telnet

Looks like riskdiscovery is having issues with submissions. I have disabled it on my config for the time being since it appears to cause the honeypot to lockup.

I was editing plugin file for example:
https://github.com/foospidy/HoneyPy/blob/master/plugins/TelnetDebian7/TelnetDebian7.py

I wanted some log to be created at connection close event but didnt found any sample function which is doing this. May I know if there is a event generated for connection close event ? Or some addition can be done to get this event generated ?

I aggressively queried the address and an IP close to mine appeared on twitter bot.
Checking the honeydb page I can't go to Firyx report page: Does Firyx tab link work?

Debain => Debian

timeout is currently hardcoded in each logger, move the time out to the main config.