# DECNET Honeypot Events

This document details the events generated by each DECNET honeypot service, as found in their respective `server.py` files.

## Service: `docker_api`
| Event Type | Included Fields |
| --- | --- |
| `request` | `method`, `path`, `remote_addr`, `body` |
| `startup` | *None* |

## Service: `elasticsearch`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `post_request` | `src`, `method`, `path`, `body_preview`, `user_agent` |
| `put_request` | `src`, `method`, `path`, `body_preview` |
| `delete_request` | `src`, `method`, `path` |
| `head_request` | `src`, `method`, `path` |
| `root_probe` | `src`, `method`, `path` |
| `cat_api` | `src`, `method`, `path` |
| `cluster_recon` | `src`, `method`, `path` |
| `nodes_recon` | `src`, `method`, `path` |
| `security_probe` | `src`, `method`, `path` |
| `request` | `src`, `method`, `path` |

## Service: `ftp`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connection` | `src_ip`, `src_port` |
| `user` | `username` |
| `auth_attempt` | `username`, `password` |
| `download_attempt` | `path` |
| `disconnect` | `src_ip`, `src_port` |

## Service: `http`
| Event Type | Included Fields |
| --- | --- |
| `request` | `method`, `path`, `remote_addr`, `headers`, `body` |
| `startup` | *None* |

## Service: `imap`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `auth` | `src`, `username`, `password` |
| `command` | `src`, `cmd` |

## Service: `k8s`
| Event Type | Included Fields |
| --- | --- |
| `request` | `method`, `path`, `remote_addr`, `auth`, `body` |
| `startup` | *None* |

## Service: `ldap`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `bind` | `src`, `dn`, `password` |
| `disconnect` | `src` |

## Service: `llmnr`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `query` | `proto`, `src`, `src_port`, `name`, `qtype` |
| `raw_packet` | `proto`, `src`, `data`, `error` |

## Service: `mongodb`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `message` | `src`, `opcode`, `length` |
| `disconnect` | `src` |

## Service: `mqtt`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `auth` | `src` |
| `packet` | `src`, `pkt_type` |

## Service: `mssql`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `auth` | `src`, `username` |
| `unknown_packet` | `src`, `pkt_type` |

## Service: `mysql`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `auth` | `src`, `username` |

## Service: `pop3`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `user` | `src`, `username` |
| `auth` | `src`, `username`, `password` |
| `command` | `src`, `cmd` |

## Service: `postgres`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `startup` | `src`, `username`, `database` |
| `auth` | `src`, `pw_hash` |
| `disconnect` | `src` |

## Service: `rdp`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connection` | `src_ip`, `src_port` |
| `data` | `src_ip`, `src_port`, `bytes`, `hex` |
| `disconnect` | `src_ip`, `src_port` |

## Service: `redis`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `command` | `src`, `cmd`, `args` |
| `disconnect` | `src` |
| `auth` | `src`, `password` |

## Service: `sip`
| Event Type | Included Fields |
| --- | --- |
| `request` | `src`, `src_port`, `method`, `from_`, `to`, `username`, `auth` |
| `startup` | *None* |

## Service: `smb`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `shutdown` | *None* |

## Service: `smtp`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `ehlo` | `src`, `domain` |
| `auth_attempt` | `src`, `command` |
| `mail_from` | `src`, `value` |
| `rcpt_to` | `src`, `value` |
| `vrfy` | `src`, `value` |
| `unknown_command` | `src`, `command` |

## Service: `snmp`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `get_request` | `src`, `src_port`, `version`, `community`, `oids` |
| `parse_error` | `src`, `error`, `data` |

## Service: `tftp`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `request` | `src`, `src_port`, `op`, `filename`, `mode` |
| `unknown_opcode` | `src`, `opcode`, `data` |

## Service: `vnc`
| Event Type | Included Fields |
| --- | --- |
| `startup` | *None* |
| `connect` | `src`, `src_port` |
| `disconnect` | `src` |
| `version` | `src`, `client_version` |
| `security_choice` | `src`, `type` |
| `auth_response` | `src`, `response` |