Initial commit: DECNET honeypot/deception network framework

Core CLI, service plugins (SSH/SMB/FTP/HTTP/RDP), Docker Compose orchestration, MACVLAN networking, and Logstash log forwarding. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:56:25 -03:00
commit 3e98c71ca4
37 changed files with 1822 additions and 0 deletions
--- a/templates/http/Dockerfile
+++ b/templates/http/Dockerfile
@@ -0,0 +1,14 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install --no-cache-dir --break-system-packages flask jinja2
+
+COPY http_honeypot.py /opt/http_honeypot.py
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 80 443
+ENTRYPOINT ["/entrypoint.sh"]
--- a/templates/http/entrypoint.sh
+++ b/templates/http/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+set -e
+exec python3 /opt/http_honeypot.py
--- a/templates/http/http_honeypot.py
+++ b/templates/http/http_honeypot.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+"""
+HTTP honeypot using Flask.
+Accepts all requests, logs every detail (method, path, headers, body),
+and responds with convincing but empty pages. Forwards events as JSON
+to LOG_TARGET if set.
+"""
+
+import json
+import os
+import socket
+from datetime import datetime, timezone
+
+from flask import Flask, request
+
+HONEYPOT_NAME = os.environ.get("HONEYPOT_NAME", "webserver")
+LOG_TARGET = os.environ.get("LOG_TARGET", "")
+
+app = Flask(__name__)
+
+
+def _forward(event: dict) -> None:
+    if not LOG_TARGET:
+        return
+    try:
+        host, port = LOG_TARGET.rsplit(":", 1)
+        with socket.create_connection((host, int(port)), timeout=3) as s:
+            s.sendall((json.dumps(event) + "\n").encode())
+    except Exception:
+        pass
+
+
+def _log(event_type: str, **kwargs) -> None:
+    event = {
+        "ts": datetime.now(timezone.utc).isoformat(),
+        "service": "http",
+        "host": HONEYPOT_NAME,
+        "event": event_type,
+        **kwargs,
+    }
+    print(json.dumps(event), flush=True)
+    _forward(event)
+
+
+@app.before_request
+def log_request():
+    _log(
+        "request",
+        method=request.method,
+        path=request.path,
+        remote_addr=request.remote_addr,
+        headers=dict(request.headers),
+        body=request.get_data(as_text=True)[:512],
+    )
+
+
+@app.route("/", defaults={"path": ""})
+@app.route("/<path:path>", methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"])
+def catch_all(path):
+    return (
+        "<html><body><h1>403 Forbidden</h1></body></html>",
+        403,
+        {"Server": "Apache/2.4.54 (Debian)", "Content-Type": "text/html"},
+    )
+
+
+if __name__ == "__main__":
+    _log("startup", msg=f"HTTP honeypot starting as {HONEYPOT_NAME}")
+    app.run(host="0.0.0.0", port=80, debug=False)