Add 20 honeypot services: email, DB, ICS, cloud, IoT, network protocols

Tier 1 (upstream images): telnet (cowrie), smtp (mailoney), elasticsearch (elasticpot), conpot (Modbus/S7/SNMP ICS). Tier 2 (custom asyncio honeypots): pop3, imap, mysql, mssql, redis, mongodb, postgres, ldap, vnc, docker_api, k8s, sip, mqtt, llmnr, snmp, tftp — each with Dockerfile, entrypoint, and protocol-accurate handshake/credential capture. Adds 256 pytest cases covering registration, compose fragments, LOG_TARGET propagation, and Dockerfile presence for all 25 services. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 23:07:44 -03:00
parent 65e3ea6b08
commit e42fcab760
70 changed files with 3099 additions and 0 deletions
--- a/decnet/services/llmnr.py
+++ b/decnet/services/llmnr.py
@@ -0,0 +1,31 @@
+from pathlib import Path
+from decnet.services.base import BaseService
+
+TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "llmnr"
+
+
+class LLMNRService(BaseService):
+    """LLMNR/mDNS/NBNS poisoning detector.
+
+    Listens on UDP 5355 (LLMNR) and UDP 5353 (mDNS) and logs any
+    name-resolution queries it receives — a strong indicator of an attacker
+    running Responder or similar tools on the LAN.
+    """
+
+    name = "llmnr"
+    ports = [5355, 5353]
+    default_image = "build"
+
+    def compose_fragment(self, decky_name: str, log_target: str | None = None) -> dict:
+        fragment: dict = {
+            "build": {"context": str(TEMPLATES_DIR)},
+            "container_name": f"{decky_name}-llmnr",
+            "restart": "unless-stopped",
+            "environment": {"HONEYPOT_NAME": decky_name},
+        }
+        if log_target:
+            fragment["environment"]["LOG_TARGET"] = log_target
+        return fragment
+
+    def dockerfile_context(self) -> Path | None:
+        return TEMPLATES_DIR