Summary
Add honeypot functionality to vt that captures and logs all interactions with vulnerable environments for analysis and research purposes.
Motivation
Security researchers and educators often want to:
- Study attacker behavior and techniques
- Collect attack samples and payloads
- Understand exploitation patterns
- Generate threat intelligence data
Proposed Features
1. Logging Infrastructure
| Log Type |
Description |
| HTTP Requests |
Full request/response logging (headers, body, params) |
| Network Traffic |
TCP/UDP connection logs, payload capture |
| Command Execution |
Shell commands attempted via RCE vulnerabilities |
| File Access |
File read/write attempts, uploads |
| Authentication |
Login attempts, credentials used |
2. CLI Interface
# Start a template in honeypot mode
vt start --id vt-dvwa --honeypot
# Start with custom log directory
vt start --id vt-dvwa --honeypot --log-dir /var/log/vt-honeypot
# View honeypot logs
vt logs --id vt-dvwa
# Export logs in various formats
vt logs --id vt-dvwa --format json > attacks.json
vt logs --id vt-dvwa --format csv > attacks.csv
3. Log Storage Options
- File-based: JSON/CSV files per session
- SQLite: Local database for querying
- Syslog: Forward to external SIEM systems
4. Log Format (JSON)
{
"timestamp": "2025-01-06T10:30:00Z",
"template_id": "vt-dvwa",
"session_id": "abc123",
"event_type": "http_request",
"source_ip": "192.168.1.100",
"data": {
"method": "POST",
"path": "/vulnerabilities/sqli/",
"headers": {...},
"body": "id=1' OR '1'='1",
"response_code": 200
}
}5. Template Configuration
Add optional honeypot config to index.yaml:
honeypot:
enabled: true
log_level: detailed # minimal, standard, detailed
capture:
- http
- network
- commands
alerts:
- type: slack
webhook: ${SLACK_WEBHOOK}Implementation Considerations
- Privacy: Add warnings about legal implications of running honeypots
- Performance: Logging should be non-blocking
- Storage: Implement log rotation and size limits
- Security: Ensure honeypot isolation from host system
Use Cases
- Education: Students can see their own attack attempts logged
- Research: Collect real-world attack patterns
- CTF: Track participant progress and techniques
- Threat Intel: Generate IOCs from captured payloads
Related
Summary
Add honeypot functionality to vt that captures and logs all interactions with vulnerable environments for analysis and research purposes.
Motivation
Security researchers and educators often want to:
Proposed Features
1. Logging Infrastructure
2. CLI Interface
3. Log Storage Options
4. Log Format (JSON)
{ "timestamp": "2025-01-06T10:30:00Z", "template_id": "vt-dvwa", "session_id": "abc123", "event_type": "http_request", "source_ip": "192.168.1.100", "data": { "method": "POST", "path": "/vulnerabilities/sqli/", "headers": {...}, "body": "id=1' OR '1'='1", "response_code": 200 } }5. Template Configuration
Add optional honeypot config to
index.yaml:Implementation Considerations
Use Cases
Related