Feat: add MCP honeypot support (#199)

* Add MCP honeypot

* Add http headers in plain text

* Improve code coverage

* Refactor README.md

.github/FUNDING.yml

@@ -1 +1 @@
-custom: ["https://www.paypal.com/donate/?business=P75FH5LXKQTAC&no_recurring=0&currency_code=EUR"]
+github: mariocandela

.github/workflows/ci.yml

@@ -45,7 +45,7 @@ jobs:
         echo "Quality Gate: checking test coverage is above threshold ..."
         echo "Threshold             : $TESTCOVERAGE_THRESHOLD %"
         # Excluded the concrete strategy from the unit test coverage, because covered by integration tests
-        cat coverage.tmp.out | grep -v "ssh.go" | grep -v "http.go" | grep -v "tcp.go" | grep -v "builder.go" | grep -v "director.go" > coverage.out
+        cat coverage.tmp.out | grep -v "mcp.go" | grep -v "ssh.go" | grep -v "http.go" | grep -v "tcp.go" | grep -v "builder.go" | grep -v "director.go" > coverage.out
         totalCoverage=`go tool cover -func=coverage.out | grep total | grep -Eo '[0-9]+\.[0-9]+'`
         echo "Current test coverage : $totalCoverage %"
         if (( $(echo "$totalCoverage $TESTCOVERAGE_THRESHOLD" | awk '{print ($1 > $2)}') )); then

README.md

@@ -12,22 +12,45 @@ Beelzebub is an advanced honeypot framework designed to provide a highly secure
 
 <img src="https://beelzebub.netlify.app/go-beelzebub.png" alt="Beelzebub Logo" width="200"/>
 
-## LLM Honeypot
+## Key Features
+
+Beelzebub offers a wide range of features to enhance your honeypot environment:
+
+- Low-code configuration: YAML-based, modular service definition
+- LLM integration: The LLM convincingly simulates a real system, creating high-interaction honeypot experiences, while actually maintaining low-interaction architecture for enhanced security and easy management.
+- Multi-protocol support: SSH, HTTP, TCP, MCP(Detect prompt injection against LLM agents)
+- Prometheus metrics & observability 
+- Docker & Kubernetes ready
+- ELK stack ready, docs: [Official ELK integration](https://www.elastic.co/docs/reference/integrations/beelzebub)
+
+## LLM SSH Honeypot Demo
 
 [![asciicast](https://asciinema.org/a/665295.svg)](https://asciinema.org/a/665295)
 
+## Code Quality
 
-## Telegram Bot for Real-Time Attacks
+We are strongly committed to maintaining high code quality in the Beelzebub project. Our development workflow includes comprehensive testing, code reviews, static analysis, and continuous integration to ensure the reliability and maintainability of the codebase.
 
-Stay updated on real-time attacks by joining our dedicated Telegram channel: [Telegram Channel](https://t.me/beelzebubhoneypot)
+### What We Do
 
-## Examples
+* **Automated Testing:**
+  Both unit and integration tests are run on every pull request to catch regressions and ensure stability.
 
-To better understand the capabilities of Beelzebub, you can explore our example repository: [mariocandela/beelzebub-example](https://github.com/mariocandela/beelzebub-example)
+* **Static Analysis:**
+  We use tools like Go Report Card and CodeQL to automatically check for code quality, style, and security issues.
+
+* **Code Coverage:**
+  Our test coverage is monitored with [Codecov](https://codecov.io/gh/mariocandela/beelzebub), and we aim for extensive coverage of all core components.
+
+* **Continuous Integration:**
+  Every commit triggers automated CI pipelines on GitHub Actions, which run all tests and quality checks.
+
+* **Code Reviews:**
+  All new contributions undergo peer review to maintain consistency and high standards across the project.
 
 ## Quick Start
 
-We provide two quick start options for build and run Beelzebub: using Docker Compose or the Go compiler.
+You can run Beelzebub via Docker, Go compiler(cross device), or Helm (Kubernetes).
 
 ### Using Docker Compose
 
@@ -43,6 +66,7 @@ We provide two quick start options for build and run Beelzebub: using Docker Com
    $ docker-compose up -d
    ```
 
+
 ### Using Go Compiler
 
 1. Download the necessary Go modules:
@@ -78,41 +102,6 @@ We provide two quick start options for build and run Beelzebub: using Docker Com
    ```bash
    $ helm upgrade beelzebub ./beelzebub-chart
    ```
-## Testing
-
-We provide two types of tests: unit tests and integration tests.
-
-### Unit Tests
-
-To run unit tests:
-
-```bash
-$ make test.unit
-```
-
-### Integration Tests
-
-To run integration tests:
-
-```bash
-$ make test.dependencies.start
-$ make test.integration
-$ make test.dependencies.down
-```
-
-## Key Features
-
-Beelzebub offers a wide range of features to enhance your honeypot environment:
-
-- Support for Ollama
-- Support for OpenAI
-- SSH Honeypot
-- HTTP Honeypot
-- TCP Honeypot
-- Prometheus openmetrics integration
-- Docker integration
-- RabbitMQ integration
-- kubernetes
 
 ## Example Configuration
 
@@ -126,7 +115,73 @@ $ ./beelzebub --confCore ./configurations/beelzebub.yaml --confServices ./config
 
 Here are some example configurations for different honeypot scenarios:
 
-#### Example HTTP Honeypot on Port 80
+### MCP Honeypot
+
+#### Why choose an MCP Honeypot?
+
+An MCP honeypot is a **decoy tool** that the agent should never invoke under normal circumstances. Integrating this strategy into your agent pipeline offers three key benefits:
+
+* **Real-time detection of guardrail bypass attempts.**
+  
+  Instantly identify when a prompt injection attack successfully convinces the agent to invoke a restricted tool.
+* **Automatic collection of real attack prompts for guardrail fine-tuning.**
+  
+   Every activation logs genuine malicious prompts, enabling continuous improvement of your filtering mechanisms.
+* **Continuous monitoring of attack trends through key metrics (HAR, TPR, MTP).**
+  
+   Track exploit frequency and system resilience using objective, actionable measurements.
+
+##### Example MCP Honeypot Configuration
+
+###### mcp-8000.yaml
+
+```yaml
+apiVersion: "v1"
+protocol: "mcp"
+address: ":8000"
+description: "MCP Honeypot"
+tools:
+  - name: "tool:user-account-manager"
+    description: "Tool for querying and modifying user account details. Requires administrator privileges."
+    params:
+      - name: "user_id"
+        description: "The ID of the user account to manage."
+      - name: "action"
+        description: "The action to perform on the user account, possible values are: get_details, reset_password, deactivate_account"
+    handler: |
+      {
+        "tool_id": "tool:user-account-manager",
+        "status": "completed",
+        "output": {
+          "message": "Tool 'tool:user-account-manager' executed successfully. Results are pending internal processing and will be logged.",
+          "result": {
+            "operation_status": "success",
+            "details": "email: kirsten@gmail.com, role: admin, last-login: 02/07/2025"
+          }
+        }
+      }
+  - name: "tool:system-log"
+    description: "Tool for querying system logs. Requires administrator privileges."
+    params:
+      - name: "filter"
+        description: "The input used to filter the logs."
+    handler: |
+      {
+        "tool_id": "tool:system-log",
+        "status": "completed",
+        "output": {
+          "message": "Tool 'tool:system-log' executed successfully. Results are pending internal processing and will be logged.",
+          "result": {
+            "operation_status": "success",
+            "details": "Info: email: kirsten@gmail.com, last-login: 02/07/2025"
+          }
+        }
+      }
+```
+
+#### Invoke remotely: beelzebub:port/mcp (Streamable HTTPServer).
+
+### HTTP Honeypot
 
 ###### http-80.yaml
 
@@ -191,7 +246,7 @@ commands:
     statusCode: 404
 ```
 
-#### Example HTTP Honeypot on Port 8080
+### HTTP Honeypot
 
 ###### http-8080.yaml
 
@@ -209,7 +264,7 @@ commands:
     statusCode: 401
 ```
 
-#### Example SSH Honeypot
+### SSH Honeypot
 
 ###### LLM Honeypots
 
@@ -273,7 +328,7 @@ plugin:
    prompt: "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block."
 ```
 
-###### SSH Honeypot on Port 22
+###### SSH Honeypot
 
 ###### ssh-22.yaml
 
@@ -307,6 +362,29 @@ passwordRegex: "^(root|qwerty|Smoker666)$"
 deadlineTimeoutSeconds: 60
 ```
 
+## Testing
+
+Maintaining excellent code quality is essential for security-focused projects like Beelzebub. We welcome all contributors who share our commitment to robust, readable, and reliable code!
+
+### Unit Tests
+
+For contributor, we have a comprehensive suite of unit/integration tests that cover the core functionality of Beelzebub. To run the unit tests, use the following command:
+
+```bash
+$ make test.unit
+```
+
+### Integration Tests
+
+To run integration tests:
+
+```bash
+$ make test.dependencies.start
+$ make test.integration
+$ make test.dependencies.down
+```
+
+
 ## Roadmap
 
 Our future plans for Beelzebub include developing it into a robust PaaS platform.

builder/builder.go

@@ -3,6 +3,7 @@ package builder
 import (
 	"errors"
 	"fmt"
+	"github.com/mariocandela/beelzebub/v3/protocols/strategies/MCP"
 	"io"
 	"net/http"
 	"os"
@@ -112,6 +113,7 @@ Honeypot Framework, happy hacking!`)
 	secureShellStrategy := &SSH.SSHStrategy{}
 	hypertextTransferProtocolStrategy := &HTTP.HTTPStrategy{}
 	transmissionControlProtocolStrategy := &TCP.TCPStrategy{}
+	modelContextProtocolStrategy := &MCP.MCPStrategy{}
 
 	// Init Tracer strategies, and set the trace strategy default HTTP
 	protocolManager := protocols.InitProtocolManager(b.traceStrategy, hypertextTransferProtocolStrategy)
@@ -139,6 +141,8 @@ Honeypot Framework, happy hacking!`)
 			protocolManager.SetProtocolStrategy(secureShellStrategy)
 		case "tcp":
 			protocolManager.SetProtocolStrategy(transmissionControlProtocolStrategy)
+		case "mcp":
+			protocolManager.SetProtocolStrategy(modelContextProtocolStrategy)
 		default:
 			log.Fatalf("protocol %s not managed", beelzebubServiceConfiguration.Protocol)
 		}

configurations/services/mcp-8000.yaml

@@ -0,0 +1,41 @@
+apiVersion: "v1"
+protocol: "mcp"
+address: ":8000"
+description: "MCP Honeypot"
+tools:
+  - name: "tool:user-account-manager"
+    description: "Tool for querying and modifying user account details. Requires administrator privileges."
+    params:
+      - name: "user_id"
+        description: "The ID of the user account to manage."
+      - name: "action"
+        description: "The action to perform on the user account, possible values are: get_details, reset_password, deactivate_account"
+    handler: |
+      {
+        "tool_id": "tool:user-account-manager",
+        "status": "completed",
+        "output": {
+          "message": "Tool 'tool:user-account-manager' executed successfully. Results are pending internal processing and will be logged.",
+          "result": {
+            "operation_status": "success",
+            "details": "email: kirsten_12345@gmail.com, role: admin, last-login: 02/07/2025"
+          }
+        }
+      }
+  - name: "tool:system-log"
+    description: "Tool for querying system logs. Requires administrator privileges."
+    params:
+      - name: "filter"
+        description: "The input used to filter the logs."
+    handler: |
+      {
+        "tool_id": "tool:system-log",
+        "status": "completed",
+        "output": {
+          "message": "Tool 'tool:system-log' executed successfully. Results are pending internal processing and will be logged.",
+          "result": {
+            "operation_status": "success",
+            "details": "Info: email: kirsten_12345@gmail.com, last-login: 02/07/2025"
+          }
+        }
+      }

go.mod

@@ -10,12 +10,12 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/jarcoal/httpmock v1.4.0
 	github.com/melbahja/goph v1.4.0
-	github.com/prometheus/client_golang v1.20.5
+	github.com/prometheus/client_golang v1.22.0
 	github.com/rabbitmq/amqp091-go v1.10.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/crypto v0.35.0
-	golang.org/x/term v0.31.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/term v0.32.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -24,17 +24,19 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/mark3labs/mcp-go v0.32.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.5 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	golang.org/x/net v0.36.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 )

go.sum

@@ -12,14 +12,14 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
 github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jarcoal/httpmock v1.4.0 h1:BvhqnH0JAYbNudL2GMJKgOHe2CtKlzJ/5rWKyp+hc2k=
 github.com/jarcoal/httpmock v1.4.0/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -28,6 +28,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/mark3labs/mcp-go v0.32.0 h1:fgwmbfL2gbd67obg57OfV2Dnrhs1HtSdlY/i5fn7MU8=
+github.com/mark3labs/mcp-go v0.32.0/go.mod h1:rXqOudj/djTORU/ThxYx8fqEVj/5pvTuuebQ2RC7uk4=
 github.com/maxatome/go-testdeep v1.14.0 h1:rRlLv1+kI8eOI3OaBXZwb3O7xY3exRzdW5QyX48g9wI=
 github.com/maxatome/go-testdeep v1.14.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/melbahja/goph v1.4.0 h1:z0PgDbBFe66lRYl3v5dGb9aFgPy0kotuQ37QOwSQFqs=
@@ -40,12 +42,12 @@ github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
 github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw=
@@ -54,10 +56,14 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
+github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
@@ -65,16 +71,16 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -86,13 +92,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -104,8 +110,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

parser/configurations_parser.go

@@ -63,6 +63,7 @@ type BeelzebubServiceConfiguration struct {
 	Protocol               string    `yaml:"protocol"`
 	Address                string    `yaml:"address"`
 	Commands               []Command `yaml:"commands"`
+	Tools                  []Tool    `yaml:"tools"`
 	FallbackCommand        Command   `yaml:"fallbackCommand"`
 	ServerVersion          string    `yaml:"serverVersion"`
 	ServerName             string    `yaml:"serverName"`
@@ -86,6 +87,20 @@ type Command struct {
 	Name       string         `yaml:"name"`
 }
 
+// Tool is the struct that contains the configurations of the MCP Honeypot
+type Tool struct {
+	Name        string  `yaml:"name"`
+	Description string  `yaml:"description"`
+	Params      []Param `yaml:"params"`
+	Handler     string  `yaml:"handler"`
+}
+
+// Param is the struct that contains the configurations of the parameters of the tools
+type Param struct {
+	Name        string `yaml:"name"`
+	Description string `yaml:"description"`
+}
+
 type configurationsParser struct {
 	configurationsCorePath             string
 	configurationsServicesDirectory    string

parser/configurations_parser_test.go

@@ -52,6 +52,15 @@ protocol: "http"
 address: ":8080"
 tlsCertPath: "/tmp/cert.crt"
 tlsKeyPath: "/tmp/cert.key"
+tools:
+  - name: "tool:user-account-manager"
+    description: "Tool for querying and modifying user account details. Requires administrator privileges."
+    params:
+      - name: "user_id"
+        description: "The ID of the user account to manage."
+      - name: "action"
+        description: "The action to perform on the user account, possible values are: get_details, reset_password, deactivate_account"
+    handler: "reset_password ok"
 commands:
   - regex: "wp-admin"
     handler: "login"
@@ -154,6 +163,14 @@ func TestReadConfigurationsServicesValid(t *testing.T) {
 	assert.Equal(t, firstBeelzebubServiceConfiguration.Plugin.Prompt, "hello world")
 	assert.Equal(t, firstBeelzebubServiceConfiguration.TLSCertPath, "/tmp/cert.crt")
 	assert.Equal(t, firstBeelzebubServiceConfiguration.TLSKeyPath, "/tmp/cert.key")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.TLSKeyPath, "/tmp/cert.key")
+	assert.Equal(t, len(firstBeelzebubServiceConfiguration.Tools), 1)
+	assert.Equal(t, firstBeelzebubServiceConfiguration.Tools[0].Name, "tool:user-account-manager")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.Tools[0].Description, "Tool for querying and modifying user account details. Requires administrator privileges.")
+	assert.Equal(t, len(firstBeelzebubServiceConfiguration.Tools[0].Params), 2)
+	assert.Equal(t, firstBeelzebubServiceConfiguration.Tools[0].Params[0].Name, "user_id")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.Tools[0].Params[0].Description, "The ID of the user account to manage.")
+	assert.Equal(t, firstBeelzebubServiceConfiguration.Tools[0].Handler, "reset_password ok")
 }
 
 func TestGelAllFilesNameByDirName(t *testing.T) {

protocols/strategies/HTTP/http.go

@@ -138,7 +138,8 @@ func traceRequest(request *http.Request, tr tracer.Tracer, command parser.Comman
 		HostHTTPRequest: request.Host,
 		UserAgent:       request.UserAgent(),
 		Cookies:         mapCookiesToString(request.Cookies()),
-		Headers:         request.Header,
+		Headers:         mapHeaderToString(request.Header),
+		HeadersMap:      request.Header,
 		Status:          tracer.Stateless.String(),
 		RemoteAddr:      request.RemoteAddr,
 		SourceIp:        host,
@@ -155,6 +156,18 @@ func traceRequest(request *http.Request, tr tracer.Tracer, command parser.Comman
 	tr.TraceEvent(event)
 }
 
+func mapHeaderToString(headers http.Header) string {
+	headersString := ""
+
+	for key := range headers {
+		for _, values := range headers[key] {
+			headersString += fmt.Sprintf("[Key: %s, values: %s],", key, values)
+		}
+	}
+
+	return headersString
+}
+
 func mapCookiesToString(cookies []*http.Cookie) string {
 	cookiesString := ""
 

protocols/strategies/MCP/mcp.go

@@ -0,0 +1,86 @@
+package MCP
+
+import (
+	"context"
+	"fmt"
+	"github.com/google/uuid"
+	"github.com/mariocandela/beelzebub/v3/parser"
+	"github.com/mariocandela/beelzebub/v3/tracer"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"net/http"
+)
+
+type remoteAddrCtxKey struct{}
+
+type MCPStrategy struct {
+}
+
+func (mcpStrategy *MCPStrategy) Init(servConf parser.BeelzebubServiceConfiguration, tr tracer.Tracer) error {
+	mcpServer := server.NewMCPServer(
+		servConf.Description,
+		"1.0.0",
+		server.WithToolCapabilities(false),
+	)
+
+	for _, toolConfig := range servConf.Tools {
+		if toolConfig.Params == nil || len(toolConfig.Params) == 0 {
+			log.Errorf("Tool %s has no parameters defined", toolConfig.Name)
+			continue
+		}
+
+		opts := []mcp.ToolOption{
+			mcp.WithDescription(toolConfig.Description),
+		}
+
+		for _, param := range toolConfig.Params {
+			opts = append(opts,
+				mcp.WithString(
+					param.Name,
+					mcp.Required(),
+					mcp.Description(param.Description),
+				),
+			)
+		}
+
+		tool := mcp.NewTool(toolConfig.Name, opts...)
+
+		mcpServer.AddTool(tool, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			host, port, _ := net.SplitHostPort(ctx.Value(remoteAddrCtxKey{}).(string))
+
+			tr.TraceEvent(tracer.Event{
+				Msg:           "New MCP tool invocation",
+				Protocol:      tracer.MCP.String(),
+				Status:        tracer.Stateless.String(),
+				RemoteAddr:    ctx.Value(remoteAddrCtxKey{}).(string),
+				SourceIp:      host,
+				SourcePort:    port,
+				ID:            uuid.New().String(),
+				Description:   servConf.Description,
+				Command:       fmt.Sprintf("%s|%s", request.Params.Name, request.Params.Arguments),
+				CommandOutput: toolConfig.Handler,
+			})
+			return mcp.NewToolResultText(toolConfig.Handler), nil
+		})
+	}
+
+	go func() {
+		httpServer := server.NewStreamableHTTPServer(
+			mcpServer,
+			server.WithHTTPContextFunc(func(ctx context.Context, r *http.Request) context.Context {
+				return context.WithValue(ctx, remoteAddrCtxKey{}, r.RemoteAddr)
+			}),
+		)
+		if err := httpServer.Start(servConf.Address); err != nil {
+			log.Errorf("Failed to start MCP server on %s: %v", servConf.Address, err)
+			return
+		}
+	}()
+	log.WithFields(log.Fields{
+		"port":        servConf.Address,
+		"description": servConf.Description,
+	}).Infof("Init service %s", servConf.Protocol)
+	return nil
+}

tracer/tracer.go

@@ -10,7 +10,6 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// Workers is the number of workers that will
 const Workers = 5
 
 type Event struct {
@@ -26,7 +25,8 @@ type Event struct {
 	User            string
 	Password        string
 	Client          string
-	Headers         map[string][]string
+	Headers         string
+	HeadersMap      map[string][]string
 	Cookies         string
 	UserAgent       string
 	HostHTTPRequest string
@@ -49,10 +49,11 @@ const (
 	HTTP Protocol = iota
 	SSH
 	TCP
+	MCP
 )
 
 func (protocol Protocol) String() string {
-	return [...]string{"HTTP", "SSH", "TCP"}[protocol]
+	return [...]string{"HTTP", "SSH", "TCP", "MCP"}[protocol]
 }
 
 const (
@@ -79,6 +80,7 @@ type tracer struct {
 	eventsSSHTotal  prometheus.Counter
 	eventsTCPTotal  prometheus.Counter
 	eventsHTTPTotal prometheus.Counter
+	eventsMCPTotal  prometheus.Counter
 }
 
 var lock = &sync.Mutex{}
@@ -113,6 +115,11 @@ func GetInstance(defaultStrategy Strategy) *tracer {
 					Name:      "http_events_total",
 					Help:      "The total number of HTTP events",
 				}),
+				eventsMCPTotal: promauto.NewCounter(prometheus.CounterOpts{
+					Namespace: "beelzebub",
+					Name:      "mcp_events_total",
+					Help:      "The total number of MCP events",
+				}),
 			}
 
 			for i := 0; i < Workers; i++ {
@@ -149,6 +156,8 @@ func (tracer *tracer) updatePrometheusCounters(protocol string) {
 		tracer.eventsSSHTotal.Inc()
 	case TCP.String():
 		tracer.eventsTCPTotal.Inc()
+	case MCP.String():
+		tracer.eventsMCPTotal.Inc()
 	}
 	tracer.eventsTotal.Inc()
 }

tracer/tracer_test.go

@@ -106,6 +106,7 @@ func TestUpdatePrometheusCounters(t *testing.T) {
 		eventsSSHTotal:  mockCounter{},
 		eventsTCPTotal:  mockCounter{},
 		eventsHTTPTotal: mockCounter{},
+		eventsMCPTotal:  mockCounter{},
 	}
 
 	tracer.updatePrometheusCounters(SSH.String())
@@ -116,4 +117,7 @@ func TestUpdatePrometheusCounters(t *testing.T) {
 
 	tracer.updatePrometheusCounters(TCP.String())
 	assert.Equal(t, 6, counter)
+
+	tracer.updatePrometheusCounters(MCP.String())
+	assert.Equal(t, 8, counter)
 }