Skip to content

create honeypot #113

New issue
New issue
Open
Open
create honeypot#113
Assignees
recepgunes1
@dogancanbakir

Description

@dogancanbakir
dogancanbakir
opened on Jan 6, 2026

Summary

Add honeypot functionality to vt that captures and logs all interactions with vulnerable environments for analysis and research purposes.

Motivation

Security researchers and educators often want to:

  • Study attacker behavior and techniques
  • Collect attack samples and payloads
  • Understand exploitation patterns
  • Generate threat intelligence data

Proposed Features

1. Logging Infrastructure

Log Type Description
HTTP Requests Full request/response logging (headers, body, params)
Network Traffic TCP/UDP connection logs, payload capture
Command Execution Shell commands attempted via RCE vulnerabilities
File Access File read/write attempts, uploads
Authentication Login attempts, credentials used

2. CLI Interface

# Start a template in honeypot mode
vt start --id vt-dvwa --honeypot

# Start with custom log directory
vt start --id vt-dvwa --honeypot --log-dir /var/log/vt-honeypot

# View honeypot logs
vt logs --id vt-dvwa

# Export logs in various formats
vt logs --id vt-dvwa --format json > attacks.json
vt logs --id vt-dvwa --format csv > attacks.csv

3. Log Storage Options

  • File-based: JSON/CSV files per session
  • SQLite: Local database for querying
  • Syslog: Forward to external SIEM systems

4. Log Format (JSON)

{
  "timestamp": "2025-01-06T10:30:00Z",
  "template_id": "vt-dvwa",
  "session_id": "abc123",
  "event_type": "http_request",
  "source_ip": "192.168.1.100",
  "data": {
    "method": "POST",
    "path": "/vulnerabilities/sqli/",
    "headers": {...},
    "body": "id=1' OR '1'='1",
    "response_code": 200
  }
}

5. Template Configuration

Add optional honeypot config to index.yaml:

honeypot:
  enabled: true
  log_level: detailed  # minimal, standard, detailed
  capture:
    - http
    - network
    - commands
  alerts:
    - type: slack
      webhook: ${SLACK_WEBHOOK}

Implementation Considerations

  • Privacy: Add warnings about legal implications of running honeypots
  • Performance: Logging should be non-blocking
  • Storage: Implement log rotation and size limits
  • Security: Ensure honeypot isolation from host system

Use Cases

  1. Education: Students can see their own attack attempts logged
  2. Research: Collect real-world attack patterns
  3. CTF: Track participant progress and techniques
  4. Threat Intel: Generate IOCs from captured payloads

Related

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions