Awesome
High Interaction Honeypots with Sysdig and Falco
Sysdig is an open source tool, which can capture and save system state and activity from a running Linux machine. Falco, an open source tool as well, is a behavioral activity monitor designed to detect anomalous activity in applications. Falco can detect and alert on any behavior that involves making Linux system calls.
Description
The honeypot_recipes repository contains a chef cookbook which can be used to quickly deploy a high interaction honeypot, using the sysdig and falco tools. The cookbook can be deployed under Red Hat, CentOS, Fedora, Ubuntu and Debian operating systems.
The cookbook installs sysdig and falco tools. In addition it creates an init script under /etc/init.d/ directory which starts sysdig in file roration mode for continuous capture. All the files that sysdig produces are written under the /local/usr/src/ directory, which can be changed by modifing the init scirpt.
How to run the cookbook
In order to run the cookbook you should install:
- git
- chefdk https://downloads.chef.io/chefdk
Create a directory named cookbooks and clone the repository in the new directory:
mkdir cookbooks && cd cookbooks
git clone https://github.com/mwrlabs/honeypot_recipes sysdig-falco
Run the cookbook with the following command:
chef-client --local-mode --runlist 'recipe[sysdig-falco]'
License
The cookbook is released under a 3-clause BSD License and maintained by MWR Info-Security. See the LICENSE
file for details.
Contact
Please submit any bugs on the Github project page at:
https://github.com/panagioto/honeypot_recipes
or give me a shout on twitter @den_n1s