honeytrap logo


Latest Release

Version 1.0.0: Revised configuration concept with more flexible module handling, analysis plugins can now create virtual attacks, 3 new plugins.


Honeytrap source packages are available from the sourceforge download repositories.

Powered by Sourceforge

SourceForge.net Logo

honeytrap – A Dynamic Meta-Honeypot Daemon

Honeytrap is a low-interaction honeypot daemon for observing attacks against network services. In contrast to other honeypots, which often focus on malware collection, honeytrap aims for catching the initial exploit – It collects and further processes attack traces.
Being able to process unknown attacks means that no pre-knowledge about a protocol or vulnerability can be used. However an incoming connection has to be handled in a meaningful manner. Honeytrap implements a dynamic server concept: for this purpose: It monitors the network stream for incoming sessions and starts aproppriate listeners just in time. Each listener can handle multiple connections and terminates itself after some idle time.
Below is the output of honeytrap 1.1.0 (svn version):
honeytrap v1.1.0 - Initializing.
Loading plugin magicPE v0.0.1
Loading plugin ftpDownload v0.5.3
Loading plugin tftpDownload v0.4.1
Loading plugin b64Decode v0.3.1
Loading plugin vncDownload v0.3
Loading plugin SaveFile v0.2.1
Loading plugin submitPostgres v0.1.1
Servers will run as user honeytrap (1004).
Servers will run as group nogroup (65534).
Loading default responses.
Connections will be handled in mirror mode by default.
Logging to /opt/honeytrap/honeytrap.log.
Initialization complete.

honeytrap v1.1.0 Copyright (C) 2005-2008 Tillmann Werner 
[2009-04-10 16:33:56] ---- Trapping attacks via NFQ. ----
[2009-04-10 16:34:11] ---- honeytrap stopped ----
Incoming data is handled as byte stream per session. This stream can be processed with different modules, e.g., for matching against certain patterns, decoding (for example base64 or XOR-ed shellcode), virus scanning, or execution of malware download commands.