The Honeytrap project is a software tool designed to detect and capture attacks against TCP services by luring attackers into a decoy system, known as a "honeypot." This allows for the identification and analysis of attack methods and techniques for improved security measures.
The process of collecting information related to attacks is performed entirely within the core system, while further processing like automated analysis can be done with plugins that load dynamically during runtime. This guarantees easy expandability without having to shutdown or recompile the software.
Honeytrap offers a different approach to honeypot technology where instead of emulating services or well-known vulnerabilities in services, it traps unknown attacks. If the honeytrap daemon detects a request to an unbound TCP port, it starts a server process to handle the incoming connection, enabling users to intercept attacks right when they occur regardless of whether they are known or not.
Honeytrap makes use of connection monitors to extract TCP connection attempts from a network stream. Currently, two types of connection monitors are available, which include a libpcap-based sniffer and an iptables rule to deliver SYN packets related to new connections to honeytrap. The former is the default monitor because of its portability while the latter, although more stealthy is not as efficient.
Version 1.0.0: N/A