Big-HP Honeypot
Prerequisites
The default deployment model uses Docker and Docker Compose to deploy containers for the project's tools, and so, require the following:
- Docker >= 1.13.1
- Docker Compose >= 1.15.0
Please ensure the user on the system installing the honeypot is in the local docker group
Please see your system documentation for adding a user to the docker group.
Important Note!
The env files, as well as the docker-compose.yml files below are intended to help you understand the various options. While they may serve as a basis for users with advanced deployment needs, most users should default to the configuration files provided by the deployment scripts in the CHN web interface.
Example big-hp docker-compose.yml
version: '3'
services:
bighp:
image: stingar/big-hp:1.9.1
volumes:
- configs:/etc/big-hp
ports:
- "443:8000"
env_file:
- big-hp.env
volumes:
configs:
Example big-hp.env file
Prior to starting, Big-HP will parse some options from big-hp.env
. The following is an example config file:
# This can be modified to change the default setup of the unattended installation
DEBUG=false
# IP Address of the honeypot
# Leaving this blank will default to the docker container IP
IP_ADDRESS=
# CHN Server api to register to
CHN_SERVER={url}
# Server to stream data to
FEEDS_SERVER={server}
FEEDS_SERVER_PORT=10000
# Variables to set to pass to the honeypot web server for reporting and visibility
REPORTED_IP=
REPORTED_PORT=443
HOSTNAME=
# Deploy key from the FEEDS_SERVER administrator
# This is a REQUIRED value
DEPLOY_KEY={deploy}
# Registration information file
# If running in a container, this needs to persist
BIGHP_JSON=/etc/big-hp/big-hp.json
# Comma separated tags for honeypot
TAGS={tags}
Configuration Options
The following options are supported in the big-hp.env
file:
- DEBUG: (boolean) Enable more verbose output to the console
- IP_ADDRESS: IP address of the host running the honeypot container
- CHN_SERVER: (string) The URL of the CHN Server used to register honeypot.
- FEEDS_SERVER: (string) The hostname or IP address of the HPFeeds server to send logged events. This will likely be the CHN management server.
- FEEDS_SERVER_PORT: (integer) The HPFeeds port. Default is 10000.
- REPORTED_IP: (string) IP address to include in data output from the honeypot
- REPORTED_PORT: (integer) port number to use in data output from the honeypot
- HOSTNAME: (string) Hostname you wish to present to attackers in the HTML template outputs
- DEPLOY_KEY: (string; REQUIRED) The deploy key provided by the feeds server administration for registration during the first startup. This key is required for registration.
- BIGHP_JSON: (string) The location to store the registration information returned from the HPFeeds server.
- TAGS: (string) Comma delimited string for honeypot-specific tags. Tags must be separated by a comma to be parsed properly.