DECNET Honeypot Events
This document details the events generated by each DECNET honeypot service, as found in their respective server.py files.
Service: docker_api
| Event Type |
Included Fields |
request |
method, path, remote_addr, body |
startup |
None |
Service: elasticsearch
| Event Type |
Included Fields |
startup |
None |
post_request |
src, method, path, body_preview, user_agent |
put_request |
src, method, path, body_preview |
delete_request |
src, method, path |
head_request |
src, method, path |
root_probe |
src, method, path |
cat_api |
src, method, path |
cluster_recon |
src, method, path |
nodes_recon |
src, method, path |
security_probe |
src, method, path |
request |
src, method, path |
Service: ftp
| Event Type |
Included Fields |
startup |
None |
connection |
src_ip, src_port |
user |
username |
auth_attempt |
username, password |
download_attempt |
path |
disconnect |
src_ip, src_port |
Service: http
| Event Type |
Included Fields |
request |
method, path, remote_addr, headers, body |
startup |
None |
Service: imap
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
auth |
src, username, password |
command |
src, cmd |
Service: k8s
| Event Type |
Included Fields |
request |
method, path, remote_addr, auth, body |
startup |
None |
Service: ldap
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
bind |
src, dn, password |
disconnect |
src |
Service: llmnr
| Event Type |
Included Fields |
startup |
None |
query |
proto, src, src_port, name, qtype |
raw_packet |
proto, src, data, error |
Service: mongodb
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
message |
src, opcode, length |
disconnect |
src |
Service: mqtt
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
auth |
src |
packet |
src, pkt_type |
Service: mssql
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
auth |
src, username |
unknown_packet |
src, pkt_type |
Service: mysql
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
auth |
src, username |
Service: pop3
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
user |
src, username |
auth |
src, username, password |
command |
src, cmd |
Service: postgres
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
startup |
src, username, database |
auth |
src, pw_hash |
disconnect |
src |
Service: rdp
| Event Type |
Included Fields |
startup |
None |
connection |
src_ip, src_port |
data |
src_ip, src_port, bytes, hex |
disconnect |
src_ip, src_port |
Service: redis
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
command |
src, cmd, args |
disconnect |
src |
auth |
src, password |
Service: sip
| Event Type |
Included Fields |
request |
src, src_port, method, from_, to, username, auth |
startup |
None |
Service: smb
| Event Type |
Included Fields |
startup |
None |
shutdown |
None |
Service: smtp
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
ehlo |
src, domain |
auth_attempt |
src, command |
mail_from |
src, value |
rcpt_to |
src, value |
vrfy |
src, value |
unknown_command |
src, command |
Service: snmp
| Event Type |
Included Fields |
startup |
None |
get_request |
src, src_port, version, community, oids |
parse_error |
src, error, data |
Service: tftp
| Event Type |
Included Fields |
startup |
None |
request |
src, src_port, op, filename, mode |
unknown_opcode |
src, opcode, data |
Service: vnc
| Event Type |
Included Fields |
startup |
None |
connect |
src, src_port |
disconnect |
src |
version |
src, client_version |
security_choice |
src, type |
auth_response |
src, response |
