/* * honeytrap 1.0.1 configuration file template -- please adjust * (c) Tillmann Werner */ // log to this file logfile = "/opt/honeytrap/var/log/honeytrap.log" // store process ID in this file pidfile = "/var/run/honeytrap.pid" /* where to look for default responses * these are sent for connections handled in "normal mode" */ response_dir = "/opt/honeytrap/etc/honeytrap/responses" // replace rfc1918 IP addresses with attacking IP address replace_private_ips = "no" // bind dynamic servers to a specific address //bind_address = "127.0.0.1" /* put network interface into promiscuous mode * (only availabel when compiled with --with-stream-mon=pcap) */ //promisc = "on" /* the user and group under which honeytrap should run * should be set to non-root */ user = "honeytrap" group = "honeytrap" // do not read more than 20 MB - used to prevent DoS attacks read_limit = "20971520" /* ----- plugin stuff below ----- */ /* where to look for plugins needs to be set before loading plugins */ plugin_dir = "/opt/honeytrap/etc/honeytrap/plugins" // include a plugin via plugin-[ModuleName] = "" // plugin-magicPE = "" plugin-ftpDownload = "" plugin-tftpDownload = "" plugin-b64Decode = "" plugin-deUnicode = "" plugin-vncDownload = "" // store attacks on disk plugin-SaveFile = { attacks_dir = "/opt/honeytrap/var/attacks" downloads_dir = "/opt/honeytrap/var/downloads" } // plugin for shellcode detection and emulation /* plugin-cpuEmu = { execute_shellcode = "no" createprocess_cmd = "/bin/sh -c \"cd /opt/honeytrap-libemu/.wine/drive_c/windows/system32; WINEPREFIX='/opt/honeytrap-libemu/.wine/' WINEDEBUG='-all' wine 'c:\\windows\\system32\\cmd_orig.exe'\"" } */ // scan downloaded samples with ClamAV engine /* plugin-ClamAV = { temp_dir = "/tmp" clamdb_path = "/var/lib/clamav" } */ // calculate locality sensitive hashes /* plugin-SpamSum = { md5sum_sigfile = "/opt/honeytrap/md5sum.sigs" spamsum_sigfile = "/opt/honeytrap/spamsum.sigs" } */ plugin-logAttacker = { logfile = "/opt/honeytrap/var/log/attacker.log" } // log attack details in JSON format plugin-logJSON = { logfile = "/opt/honeytrap/var/log/attackers.json" } // store attacks in PostgeSQL database /* plugin-SavePostgres = { db_host = "localhost" db_name = "some_db" db_user = "some_user" db_pass = "some_pass" // db_port = "some_port" // defaults to 5432/tcp if not set } */ // invoke an external program (f.e. wget) to download files via http /* plugin-httpDownload = { http_program = "/usr/bin/wget" http_options = "-q -t1 -T1 -O-" } */ // submit downloaded malware samples to the mwcollect alliance /* plugin-submitMWserv = { mwserv_url = "https://submission-url/" guid = "your-guid" maintainer = "your-maintainer" secret = "your-secret" timeout = "120" } */ /* ----- port mode configuration below ----- */ // default port configuration (ignore, normal or mirror) // ignore: just ignore connection attempts // normal: send a default response // mirror: mirror connections back to the initiator (use with caution!) portconf_default = "normal" // explicit port configuration /* portconf = { // ignore connection requests on these ports ignore = { protocol = "tcp" port = "22" } } */ // include a file //include = "ports.conf"