• Stars
    star
    147
  • Rank 251,347 (Top 5 %)
  • Language
    Python
  • Created almost 3 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

This can be installed on a workstation or server, either by running the Python app/app.py script directly (you'll need python3, Flask, and Requests) or as a Docker container.

You will need to set some environment variables (or hard-code them into the script): WEBHOOK_URL=your Teams, Slack or Mattermost webhook URL to receive notifications HONEYPOT_NAME=unique name for this honeypot so you know where the alerts came from HONEYPOT_PORT=8080 or whatever port you want it to listen on

Important Note: This is a LOW-INTERACTION honeypot meant for internal active defense. It is not supposed to be vulnerable or let attackers get into anything.

All it does is watch for suspicious string patterns in the requests (form fields and HTTP headers) and alert you if anything weird comes through by sending a message on Teams or Slack.

Example running via Docker:

docker build -t log4j-honeypot-flask:latest .

docker run -d -p 8080:8080 -e WEBHOOK_URL=https://yourwebhookurl -e HONEYPOT_NAME=dmz_log4j_hp log4j-honeypot-flask

Example running via command line:

export WEBHOOK_URL=https://yourwebhookurl

export HONEYPOT_NAME=LittleBobbyJNDI

export HONEYPOT_PORT=8081

python3 app/app.py

More Repositories

1

auto-ossec

Python
139
star
2

goatrider

GoatRider is a simple tool that will dynamically pull down Artillery Threat Intelligence Feeds, TOR, AlienVaults OTX, and the Alexa top 1 million websites and do a comparison to a hostname file or IP file.
Python
137
star
3

YaraMemoryScanner

Simple PowerShell script to enable process scanning with Yara.
PowerShell
87
star
4

beacon-fronting

A simple command line program to help defender test their detections for network beacon patterns and domain fronting
Go
65
star
5

ThreatHuntingJupyterNotebooks

Jupyter Notebook
58
star
6

BinaryDefense.FSharp.Analyzers

Security analyzers for the FSharp (F#) language
F#
37
star
7

IcedDecrypt

IcedID Decryption Tool
Python
27
star
8

GhidraRustDependenciesExtractor

Ghidra script for extracting embedded Rust crate dependency strings from a compiled Rust binary
Python
26
star
9

JsonWrapper

A Myriad plugin for generating statically typed lossless wrappers around JToken given a schema.
F#
15
star
10

ARC-Labs-ML-Starter-Kit

Jupyter Notebook
5
star
11

glyph-hunter

Python Flask web app that checks names for potential homoglyph characteristics and reports results in json format
Python
3
star
12

HiddenTaskHunter

PowerShell
3
star
13

ARC-Labs-Hunting-Queries

3
star
14

decloaker

A script that attempts to decloak symbiote activity, and some other LD_PRELOAD activity
Shell
2
star
15

mining-pools

List of mining pool domain names for use in detection logic
2
star
16

OTX-Microsoft-Logic-App

Microsoft Logic App for consuming Open Threat Exchange (OTX) data in Microsoft Sentinel / Log Analytics Workspace
2
star
17

borat-rat-plugin-emulators

.Net Libraries (DLLs) re-written from scratch that emulate the functionality of Borat RAT for defese testing purposes
C#
2
star
18

RPCFirewall-LogParsers

1
star