mirror of
				https://github.com/telekom-security/tpotce.git
				synced 2025-10-25 17:54:44 +00:00 
			
		
		
		
	
		
			
	
	
		
			144 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
		
		
			
		
	
	
			144 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
|   | /*  | ||
|  |  * honeytrap 1.0.1 configuration file template -- please adjust | ||
|  |  * (c) Tillmann Werner <tillmann.werner@gmx.de> | ||
|  |  */ | ||
|  | 
 | ||
|  | // log to this file | ||
|  | logfile		= "/opt/honeytrap/var/log/honeytrap.log" | ||
|  | 
 | ||
|  | // store process ID in this file | ||
|  | pidfile		= "/var/run/honeytrap.pid" | ||
|  | 
 | ||
|  | /* where to look for default responses | ||
|  |  * these are sent for connections handled in "normal mode" */ | ||
|  | response_dir	= "/opt/honeytrap/etc/honeytrap/responses" | ||
|  | 
 | ||
|  | // replace rfc1918 IP addresses with attacking IP address | ||
|  | replace_private_ips = "no" | ||
|  | 
 | ||
|  | // bind dynamic servers to a specific address | ||
|  | //bind_address = "127.0.0.1" | ||
|  | 
 | ||
|  | /* put network interface into promiscuous mode | ||
|  |  * (only availabel when compiled with --with-stream-mon=pcap) */ | ||
|  | //promisc = "on" | ||
|  | 
 | ||
|  | /* the user and group under which honeytrap should run | ||
|  |  * should be set to non-root */ | ||
|  | user	= "honeytrap" | ||
|  | group	= "honeytrap" | ||
|  | 
 | ||
|  | // do not read more than 20 MB - used to prevent DoS attacks | ||
|  | read_limit = "20971520" | ||
|  | 
 | ||
|  | 
 | ||
|  | /* ----- plugin stuff below ----- */ | ||
|  | 
 | ||
|  | /* where to look for plugins | ||
|  |    needs to be set before loading plugins */ | ||
|  | plugin_dir	= "/opt/honeytrap/etc/honeytrap/plugins" | ||
|  | 
 | ||
|  | 
 | ||
|  | // include a plugin via plugin-[ModuleName] = "" | ||
|  | 
 | ||
|  | // plugin-magicPE = "" | ||
|  | plugin-ftpDownload = "" | ||
|  | plugin-tftpDownload = "" | ||
|  | plugin-b64Decode = "" | ||
|  | plugin-deUnicode = "" | ||
|  | plugin-vncDownload = "" | ||
|  | 
 | ||
|  | 
 | ||
|  | // store attacks on disk | ||
|  | plugin-SaveFile = { | ||
|  | 	attacks_dir	= "/opt/honeytrap/var/attacks" | ||
|  | 	downloads_dir	= "/opt/honeytrap/var/downloads" | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | // plugin for shellcode detection and emulation | ||
|  | /* | ||
|  | plugin-cpuEmu = { | ||
|  | 	execute_shellcode = "no" | ||
|  | 	createprocess_cmd = "/bin/sh -c \"cd /opt/honeytrap-libemu/.wine/drive_c/windows/system32; WINEPREFIX='/opt/honeytrap-libemu/.wine/' WINEDEBUG='-all' wine 'c:\\windows\\system32\\cmd_orig.exe'\"" | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | 
 | ||
|  | 
 | ||
|  | // scan downloaded samples with ClamAV engine | ||
|  | /* | ||
|  | plugin-ClamAV = { | ||
|  | 	temp_dir	= "/tmp" | ||
|  | 	clamdb_path	= "/var/lib/clamav" | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | 
 | ||
|  | // calculate locality sensitive hashes | ||
|  | /* | ||
|  | plugin-SpamSum = { | ||
|  | 	md5sum_sigfile	= "/opt/honeytrap/md5sum.sigs" | ||
|  | 	spamsum_sigfile	= "/opt/honeytrap/spamsum.sigs" | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | plugin-logAttacker = { logfile = "/opt/honeytrap/var/log/attacker.log" } | ||
|  | 
 | ||
|  | // log attack details in JSON format | ||
|  | plugin-logJSON = { logfile = "/opt/honeytrap/var/log/attackers.json" } | ||
|  | 
 | ||
|  | 
 | ||
|  | // store attacks in PostgeSQL database | ||
|  | /* | ||
|  | plugin-SavePostgres = { | ||
|  | 	db_host	= "localhost" | ||
|  | 	db_name	= "some_db" | ||
|  | 	db_user	= "some_user" | ||
|  | 	db_pass	= "some_pass" | ||
|  | //	db_port = "some_port"	// defaults to 5432/tcp if not set | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | 
 | ||
|  | // invoke an external program (f.e. wget) to download files via http | ||
|  | /* | ||
|  | plugin-httpDownload = { | ||
|  | 	http_program = "/usr/bin/wget" | ||
|  | 	http_options = "-q -t1 -T1 -O-" | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | 
 | ||
|  | // submit downloaded malware samples to the mwcollect alliance | ||
|  | /* | ||
|  | plugin-submitMWserv = { | ||
|  | 	mwserv_url      = "https://submission-url/" | ||
|  | 	guid            = "your-guid" | ||
|  | 	maintainer      = "your-maintainer"  | ||
|  | 	secret          = "your-secret" | ||
|  | 	timeout		= "120" | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | /* ----- port mode configuration below ----- */ | ||
|  | 
 | ||
|  | // default port configuration (ignore, normal or mirror) | ||
|  | //   ignore: just ignore connection attempts | ||
|  | //   normal: send a default response | ||
|  | //   mirror: mirror connections back to the initiator (use with caution!) | ||
|  | portconf_default = "normal" | ||
|  | 
 | ||
|  | // explicit port configuration | ||
|  | /* portconf = { | ||
|  | 	// ignore connection requests on these ports | ||
|  | 	ignore = { | ||
|  | 		protocol	= "tcp" | ||
|  | 		port		= "22"  | ||
|  | 	} | ||
|  | } | ||
|  | */ | ||
|  | 
 | ||
|  | // include a file | ||
|  | //include = "ports.conf" |