A high-interaction deception system and adversary emulation platform. Built for deep engagement, behavioral profiling, and advanced threat intelligence gathering.
- High-Interaction Deception Environment:
- Fake stateful SSH filesystem (
/etc,/var,/home) - Realistic interactive command execution (
cd,ls,cat,uname,ps,netstat) - Simulated delays and false privilege escalation traps
- Fake stateful SSH filesystem (
- Session-Based Engine: Tracks complete session lifecycles, grouping interactions by deterministic UUIDs for forensic replay.
- Adversary Profiling: Automatically classifies actors into
Scanner,Brute Forcer, orManual Attackerbased on their command variance and authentication patterns. - Threat Intelligence Integration: Automated GeoIP location tracking and AbuseIPDB support.
- Payload Capture & Replay: Every session is recorded in detail. The dashboard allows point-and-click replay of attacker transcripts.
- SOC-Grade Dashboard: Real-time metrics, interactive charts, session viewers, and live feeds.
- Data Portability: Export your entire deception database to JSON or CSV via API or Dashboard for SIEM integration.
Adversary --> [ SSH Emulator + Fake FS ] ----+
Adversary --> [ HTTP Catch-all Routes ] -----+---> [ Profiling Engine ] ---> [ SQLite DB ]
Adversary --> [ FTP Sandbox ] ---------------+ | |
v v
[ Web Dashboard & Replay System ] <----------------- [ REST API ] <------- [ CLI Tool ]
- Docker & Docker Compose
- Clone & Start:
git clone https://github.com/yourusername/honeybot.git cd honeybot docker-compose up -d - Access Dashboard: Open
http://localhost:5000in your browser. - Run CLI:
docker-compose exec honeybot python -m src.cli --help
The deterministic CLI allows for fast forensic analysis:
| Command | Description |
|---|---|
show-attacks |
Display recent interactions in a table. |
list-ips |
List all unique attacker IPs and counts. |
suspicious-ips |
List IPs with HIGH or CRITICAL threats. |
stats |
Show overall honeypot statistics. |
logs |
View raw JSON-like logs with filters. |
| Endpoint | Method | Description |
|---|---|---|
/api/stats |
GET | Global statistics & chart data. |
/api/attacks |
GET | Filterable list of recent attacks. |
/api/ips |
GET | Adversary profiling, GeoIP, and metadata. |
/api/sessions |
GET | Active and historical sessions with behavior tags. |
/api/session/<id> |
GET | Full chronological transcript of a session. |
/api/export/<fmt> |
GET | Download database as json or csv. |
- Isolation: Always run within Docker.
- Sandboxing: The fake SSH filesystem and shell are strictly software-emulated Python dictionaries. No underlying OS commands are executed.
- Rate-Limiting: Simulated command delays frustrate automated scanners and add realistic texture to manual engagements.