mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 01:27:27 -04:00
144 lines
3.3 KiB
Plaintext
144 lines
3.3 KiB
Plaintext
/*
|
|
* honeytrap 1.0.1 configuration file template -- please adjust
|
|
* (c) Tillmann Werner <tillmann.werner@gmx.de>
|
|
*/
|
|
|
|
// log to this file
|
|
logfile = "/opt/honeytrap/var/log/honeytrap.log"
|
|
|
|
// store process ID in this file
|
|
pidfile = "/var/run/honeytrap.pid"
|
|
|
|
/* where to look for default responses
|
|
* these are sent for connections handled in "normal mode" */
|
|
response_dir = "/opt/honeytrap/etc/honeytrap/responses"
|
|
|
|
// replace rfc1918 IP addresses with attacking IP address
|
|
replace_private_ips = "no"
|
|
|
|
// bind dynamic servers to a specific address
|
|
//bind_address = "127.0.0.1"
|
|
|
|
/* put network interface into promiscuous mode
|
|
* (only availabel when compiled with --with-stream-mon=pcap) */
|
|
//promisc = "on"
|
|
|
|
/* the user and group under which honeytrap should run
|
|
* should be set to non-root */
|
|
user = "honeytrap"
|
|
group = "honeytrap"
|
|
|
|
// do not read more than 20 MB - used to prevent DoS attacks
|
|
read_limit = "20971520"
|
|
|
|
|
|
/* ----- plugin stuff below ----- */
|
|
|
|
/* where to look for plugins
|
|
needs to be set before loading plugins */
|
|
plugin_dir = "/opt/honeytrap/etc/honeytrap/plugins"
|
|
|
|
|
|
// include a plugin via plugin-[ModuleName] = ""
|
|
|
|
// plugin-magicPE = ""
|
|
plugin-ftpDownload = ""
|
|
plugin-tftpDownload = ""
|
|
plugin-b64Decode = ""
|
|
plugin-deUnicode = ""
|
|
plugin-vncDownload = ""
|
|
|
|
|
|
// store attacks on disk
|
|
plugin-SaveFile = {
|
|
attacks_dir = "/opt/honeytrap/var/attacks"
|
|
downloads_dir = "/opt/honeytrap/var/downloads"
|
|
}
|
|
|
|
|
|
// plugin for shellcode detection and emulation
|
|
/*
|
|
plugin-cpuEmu = {
|
|
execute_shellcode = "no"
|
|
createprocess_cmd = "/bin/sh -c \"cd /opt/honeytrap-libemu/.wine/drive_c/windows/system32; WINEPREFIX='/opt/honeytrap-libemu/.wine/' WINEDEBUG='-all' wine 'c:\\windows\\system32\\cmd_orig.exe'\""
|
|
}
|
|
*/
|
|
|
|
|
|
|
|
// scan downloaded samples with ClamAV engine
|
|
/*
|
|
plugin-ClamAV = {
|
|
temp_dir = "/tmp"
|
|
clamdb_path = "/var/lib/clamav"
|
|
}
|
|
*/
|
|
|
|
|
|
// calculate locality sensitive hashes
|
|
/*
|
|
plugin-SpamSum = {
|
|
md5sum_sigfile = "/opt/honeytrap/md5sum.sigs"
|
|
spamsum_sigfile = "/opt/honeytrap/spamsum.sigs"
|
|
}
|
|
*/
|
|
|
|
plugin-logAttacker = { logfile = "/opt/honeytrap/var/log/attacker.log" }
|
|
|
|
// log attack details in JSON format
|
|
plugin-logJSON = { logfile = "/opt/honeytrap/var/log/attackers.json" }
|
|
|
|
|
|
// store attacks in PostgeSQL database
|
|
/*
|
|
plugin-SavePostgres = {
|
|
db_host = "localhost"
|
|
db_name = "some_db"
|
|
db_user = "some_user"
|
|
db_pass = "some_pass"
|
|
// db_port = "some_port" // defaults to 5432/tcp if not set
|
|
}
|
|
*/
|
|
|
|
|
|
// invoke an external program (f.e. wget) to download files via http
|
|
/*
|
|
plugin-httpDownload = {
|
|
http_program = "/usr/bin/wget"
|
|
http_options = "-q -t1 -T1 -O-"
|
|
}
|
|
*/
|
|
|
|
|
|
// submit downloaded malware samples to the mwcollect alliance
|
|
/*
|
|
plugin-submitMWserv = {
|
|
mwserv_url = "https://submission-url/"
|
|
guid = "your-guid"
|
|
maintainer = "your-maintainer"
|
|
secret = "your-secret"
|
|
timeout = "120"
|
|
}
|
|
*/
|
|
|
|
/* ----- port mode configuration below ----- */
|
|
|
|
// default port configuration (ignore, normal or mirror)
|
|
// ignore: just ignore connection attempts
|
|
// normal: send a default response
|
|
// mirror: mirror connections back to the initiator (use with caution!)
|
|
portconf_default = "normal"
|
|
|
|
// explicit port configuration
|
|
/* portconf = {
|
|
// ignore connection requests on these ports
|
|
ignore = {
|
|
protocol = "tcp"
|
|
port = "22"
|
|
}
|
|
}
|
|
*/
|
|
|
|
// include a file
|
|
//include = "ports.conf"
|