anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
65e3ea6b085ac4deabab57dad761457b25fd8157
DECNET/CLAUDE.md
anti 3e98c71ca4 Initial commit: DECNET honeypot/deception network framework 
Core CLI, service plugins (SSH/SMB/FTP/HTTP/RDP), Docker Compose
orchestration, MACVLAN networking, and Logstash log forwarding.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:56:25 -03:00

2.2 KiB
Raw Blame History

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

Commands

# Install (dev)
pip install -e .

# List registered service plugins
decnet services

# Dry-run (generates compose, no containers)
decnet deploy --mode unihost --deckies 3 --randomize-services --dry-run

# Full deploy (requires root for MACVLAN)
sudo decnet deploy --mode unihost --deckies 5 --interface eth0 --randomize-services
sudo decnet deploy --mode unihost --deckies 3 --services ssh,smb --log-target 192.168.1.5:5140

# Status / teardown
decnet status
sudo decnet teardown --all
sudo decnet teardown --id decky-01

Project Overview

DECNET is a honeypot/deception network framework. It deploys fake machines (called deckies) with realistic services (RDP, SMB, SSH, FTP, etc.) to lure and profile attackers. All attacker interactions are aggregated to an isolated logging network (ELK stack / SIEM).

Deployment Models

UNIHOST — one real host spins up n deckies via a container orchestrator. Simpler, single-machine deployment.

SWARM (MULTIHOST)n real hosts each running deckies. Orchestrated via Ansible/sshpass or similar tooling.

Core Technology Choices

  • Containers: Docker Compose is the starting point but other orchestration frameworks should be evaluated if they serve the project better. debian:bookworm-slim is the default base image; mixing in Ubuntu, CentOS, or other distros is encouraged to make the decoy network look heterogeneous.
  • Networking: Deckies need to appear as real machines on the LAN (own MACs/IPs). MACVLAN and IPVLAN are candidates; the right driver depends on the host environment. WSL has known limitations — bare metal or a VM is preferred for testing.
  • Log pipeline: Logstash → ELK stack → SIEM (isolated network, not reachable from decoy network)

Architecture Constraints

  • The decoy network must be reachable from the outside (attacker-facing).
  • The logging/aggregation network must be isolated from the decoy network.
  • A publicly accessible real server acts as the bridge between the two networks.
  • Deckies should differ in exposed services and OS fingerprints to appear as a heterogeneous network.
Reference in New Issue View Git Blame Copy Permalink