Honeypot Management
How HoneyBee Node manages honeypots (pots).
Overview
HoneyBee Node automatically installs, configures, and manages honeypots from the HoneyBee Potstore. Honeypots are installed on-demand via commands from HoneyBee Core.
Installation Flow
- Core sends InstallPot command - Specifies honeypot type, ID, and configuration
- Node clones Potstore - Downloads honeypot from GitHub
- Node sets up environment - Creates virtual environments, installs dependencies
- Node configures integration - Sets up event forwarding to Core
- Node reports status - Sends installation progress to Core
Supported Honeypots
From the HoneyBee Potstore:
- Cowrie - SSH and Telnet honeypot (Python/Twisted)
- HonnyPotter - WordPress login honeypot (PHP)
- More coming soon…
Installation Process
Automatic Installation
When Core sends an InstallPot command:
{
"version": 2,
"message": {
"NodeCommand": {
"node_id": 12345,
"command": {
"InstallPot": {
"pot_id": "cowrie-01",
"honeypot_type": "cowrie",
"config": {
"ssh_port": "2222",
"telnet_port": "2223"
},
"auto_start": true
}
}
}
}
}
The node will:
- Clone Potstore repository (if not already cloned)
- Copy honeypot to
~/.honeybee/honeypots/cowrie-01/ - Create Python virtual environment
- Install dependencies (
pip install -r requirements.txt) - Configure HoneyBee integration
- Start honeypot (if
auto_start: true)
Manual Installation
Honeypots can also be installed manually, but automatic installation is recommended.
Honeypot Lifecycle
States
- Installing - Honeypot is being installed
- Running - Honeypot is active
- Stopped - Honeypot is stopped
- Failed - Installation or startup failed
Commands
Start Honeypot
{
"NodeCommand": {
"node_id": 12345,
"command": {
"DeployPot": "cowrie-01"
}
}
}
Stop Honeypot
{
"NodeCommand": {
"node_id": 12345,
"command": {
"StopPot": "cowrie-01"
}
}
}
Restart Honeypot
{
"NodeCommand": {
"node_id": 12345,
"command": {
"RestartPot": "cowrie-01"
}
}
}
Get Status
{
"NodeCommand": {
"node_id": 12345,
"command": {
"GetPotStatus": "cowrie-01"
}
}
}
Event Forwarding
All honeypot events are automatically forwarded to Core:
- TCP Socket - Events sent to
localhost:9100(configurable) - JSON Format - Structured event data
- Real-time - Events forwarded immediately
Event Format
{
"node_id": 12345,
"pot_id": "cowrie-01",
"pot_type": "cowrie",
"event_type": "login",
"timestamp": "2024-01-15T10:30:00Z",
"data": {
"username": "admin",
"password": "password123",
"ip": "192.168.1.100",
"session": "abc123"
}
}
Configuration
Honeypots are configured via the InstallPot command’s config field:
{
"config": {
"ssh_port": "2222",
"telnet_port": "2223",
"hostname": "honeybee-cowrie",
"log_path": "/var/log/cowrie"
}
}
Directory Structure
Honeypots are installed in:
~/.honeybee/honeypots/
├── cowrie-01/ # First Cowrie instance
│ ├── cowrie-env/ # Python virtual environment
│ ├── src/ # Cowrie source
│ ├── etc/ # Configuration
│ └── logs/ # Logs
├── cowrie-02/ # Second Cowrie instance
└── honnypotter-01/ # HonnyPotter instance
Troubleshooting
Installation Fails
- Check Python/PHP is installed
- Verify Git is available
- Check disk space
- Review node logs
Honeypot Won’t Start
- Check dependencies are installed
- Verify configuration
- Check port availability
- Review honeypot logs
Events Not Forwarding
- Verify event listener is running (port 9100)
- Check honeypot configuration
- Verify network connectivity
- Enable debug logging
See Troubleshooting for more help.