Skip to content

Honeypot

Package name: intrudect-honeypot

Honeypot agent listens on TCP or UDP ports specified in the configuration, accepts incoming connections, and if one is detected, an alert is sent to the central web.

Configuration

The initial example (not default) configuration for Honeypot can be created in the web application under Agents > Add new honeypot. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-honeypot/etc/config.json. Once in place, Honeypot will request an updated configuration from the web application every minute.

Listeners

Multiple Listener instances can be added to the Honeypot. For each listener, you must specify the IP address and the TCPPorts and UDPPorts to be monitored.

"Listeners": [
  {
    "IP": "192.168.1.2",
    "TCPPorts": [
      25,
      110,
      143
    ],
    "UDPPorts": [
      123,
      161
    ]
  }
]

Other options

"SendPCAP": true,
"SaveLocalPCAP": false,
"ExcludeSrcIP": ["192.168.1.1", "192.168.2.1"]
  • SendPCAP sends packets received in TCP session as a PCAP file alongside alert
  • SaveLocalPCAP saves packets received in TCP session as local PCAP file. File is saved in /opt/intrudect-honeypot/honeypot_<srcip>_<dstip>_<datetime>.pcap
  • ExcludeSrcIP array of IP addresses, that are ignored by honeypot.