mirror of
				https://github.com/telekom-security/tpotce.git
				synced 2025-10-23 08:44:45 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			143 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			143 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| /* 
 | |
|  * honeytrap 1.0.1 configuration file template -- please adjust
 | |
|  * (c) Tillmann Werner <tillmann.werner@gmx.de>
 | |
|  */
 | |
| 
 | |
| // log to this file
 | |
| logfile		= "/opt/honeytrap/var/log/honeytrap.log"
 | |
| 
 | |
| // store process ID in this file
 | |
| pidfile		= "/var/run/honeytrap.pid"
 | |
| 
 | |
| /* where to look for default responses
 | |
|  * these are sent for connections handled in "normal mode" */
 | |
| response_dir	= "/opt/honeytrap/etc/honeytrap/responses"
 | |
| 
 | |
| // replace rfc1918 IP addresses with attacking IP address
 | |
| replace_private_ips = "no"
 | |
| 
 | |
| // bind dynamic servers to a specific address
 | |
| //bind_address = "127.0.0.1"
 | |
| 
 | |
| /* put network interface into promiscuous mode
 | |
|  * (only availabel when compiled with --with-stream-mon=pcap) */
 | |
| //promisc = "on"
 | |
| 
 | |
| /* the user and group under which honeytrap should run
 | |
|  * should be set to non-root */
 | |
| user	= "honeytrap"
 | |
| group	= "honeytrap"
 | |
| 
 | |
| // do not read more than 20 MB - used to prevent DoS attacks
 | |
| read_limit = "20971520"
 | |
| 
 | |
| 
 | |
| /* ----- plugin stuff below ----- */
 | |
| 
 | |
| /* where to look for plugins
 | |
|    needs to be set before loading plugins */
 | |
| plugin_dir	= "/opt/honeytrap/etc/honeytrap/plugins"
 | |
| 
 | |
| 
 | |
| // include a plugin via plugin-[ModuleName] = ""
 | |
| 
 | |
| // plugin-magicPE = ""
 | |
| plugin-ftpDownload = ""
 | |
| plugin-tftpDownload = ""
 | |
| plugin-b64Decode = ""
 | |
| plugin-deUnicode = ""
 | |
| plugin-vncDownload = ""
 | |
| 
 | |
| 
 | |
| // store attacks on disk
 | |
| plugin-SaveFile = {
 | |
| 	attacks_dir	= "/opt/honeytrap/var/attacks"
 | |
| 	downloads_dir	= "/opt/honeytrap/var/downloads"
 | |
| }
 | |
| 
 | |
| 
 | |
| // plugin for shellcode detection and emulation
 | |
| /*
 | |
| plugin-cpuEmu = {
 | |
| 	execute_shellcode = "no"
 | |
| 	createprocess_cmd = "/bin/sh -c \"cd /opt/honeytrap-libemu/.wine/drive_c/windows/system32; WINEPREFIX='/opt/honeytrap-libemu/.wine/' WINEDEBUG='-all' wine 'c:\\windows\\system32\\cmd_orig.exe'\""
 | |
| }
 | |
| */
 | |
| 
 | |
| 
 | |
| 
 | |
| // scan downloaded samples with ClamAV engine
 | |
| /*
 | |
| plugin-ClamAV = {
 | |
| 	temp_dir	= "/tmp"
 | |
| 	clamdb_path	= "/var/lib/clamav"
 | |
| }
 | |
| */
 | |
| 
 | |
| 
 | |
| // calculate locality sensitive hashes
 | |
| /*
 | |
| plugin-SpamSum = {
 | |
| 	md5sum_sigfile	= "/opt/honeytrap/md5sum.sigs"
 | |
| 	spamsum_sigfile	= "/opt/honeytrap/spamsum.sigs"
 | |
| }
 | |
| */
 | |
| 
 | |
| plugin-logAttacker = { logfile = "/opt/honeytrap/var/log/attacker.log" }
 | |
| 
 | |
| // log attack details in JSON format
 | |
| plugin-logJSON = { logfile = "/opt/honeytrap/var/log/attackers.json" }
 | |
| 
 | |
| 
 | |
| // store attacks in PostgeSQL database
 | |
| /*
 | |
| plugin-SavePostgres = {
 | |
| 	db_host	= "localhost"
 | |
| 	db_name	= "some_db"
 | |
| 	db_user	= "some_user"
 | |
| 	db_pass	= "some_pass"
 | |
| //	db_port = "some_port"	// defaults to 5432/tcp if not set
 | |
| }
 | |
| */
 | |
| 
 | |
| 
 | |
| // invoke an external program (f.e. wget) to download files via http
 | |
| /*
 | |
| plugin-httpDownload = {
 | |
| 	http_program = "/usr/bin/wget"
 | |
| 	http_options = "-q -t1 -T1 -O-"
 | |
| }
 | |
| */
 | |
| 
 | |
| 
 | |
| // submit downloaded malware samples to the mwcollect alliance
 | |
| /*
 | |
| plugin-submitMWserv = {
 | |
| 	mwserv_url      = "https://submission-url/"
 | |
| 	guid            = "your-guid"
 | |
| 	maintainer      = "your-maintainer" 
 | |
| 	secret          = "your-secret"
 | |
| 	timeout		= "120"
 | |
| }
 | |
| */
 | |
| 
 | |
| /* ----- port mode configuration below ----- */
 | |
| 
 | |
| // default port configuration (ignore, normal or mirror)
 | |
| //   ignore: just ignore connection attempts
 | |
| //   normal: send a default response
 | |
| //   mirror: mirror connections back to the initiator (use with caution!)
 | |
| portconf_default = "normal"
 | |
| 
 | |
| // explicit port configuration
 | |
| /* portconf = {
 | |
| 	// ignore connection requests on these ports
 | |
| 	ignore = {
 | |
| 		protocol	= "tcp"
 | |
| 		port		= "22" 
 | |
| 	}
 | |
| }
 | |
| */
 | |
| 
 | |
| // include a file
 | |
| //include = "ports.conf"
 | 
