Skip to content

FlowchartDiagram

Mohammad AbuDayeh edited this page May 13, 2026 · 1 revision

Flowchart Diagram – WISETrap Honeypot System

The Flowchart Diagram illustrates the internal workflow of the WISETrap honeypot system from the moment an attacker interacts with the trap endpoint until the administrator receives a security alert.

This diagram demonstrates how the system detects suspicious requests, records attack information, stores logs, and triggers real-time notifications.


System Overview

WISETrap is a web-based credential honeypot designed to simulate a vulnerable environment by intentionally exposing a fake credential file located at:

https://honeypot.wise.local/login.txt

When an attacker or automated bot accesses the trap endpoint or attempts to use the exposed credentials, the system automatically processes the request, logs the activity, and sends an alert notification to the administrator.


Workflow Description

1. Start

The monitoring process begins when the WISETrap system is active and waiting for incoming HTTP requests.


2. Receive HTTP Request

The system receives an incoming request from:

  • Attacker
  • Bot
  • Scanner
  • External user

The request may target:

  • /login.txt
  • Fake login page
  • Honeypot endpoints

3. Request Validation

The system analyzes the request and determines whether the activity is suspicious.

Examples:

  • Accessing exposed trap files
  • Attempting fake credentials
  • Suspicious scanning behavior

4. Decision Process

If the request is NOT suspicious:

  • The request is ignored
  • No alert is generated
  • Monitoring continues

If the request IS suspicious:

The system proceeds to the logging and alert stages.


5. Log Request Details

The system records:

  • IP Address
  • Requested URL
  • Timestamp
  • User Agent
  • Request information

6. Store Data in Database

The collected attack data is securely stored inside the honeypot database for monitoring and future analysis.


7. Send Alert Notification

The system generates an alert message and sends it through the configured email service.

The alert may contain:

  • Attacker IP
  • Accessed endpoint
  • Timestamp
  • Request details

8. Administrator Receives Alert

The administrator receives the notification in real time and can:

  • View attack logs
  • Analyze suspicious activity
  • Monitor attacker behavior
  • Take defensive action if needed

9. Continue Monitoring

After processing the request, the system returns to monitoring mode and waits for additional incoming requests.


Actors Involved

Attacker / Bot

Attempts to access trap resources or exploit fake credentials.

WISETrap System

Processes requests, logs suspicious activity, and generates alerts.

Database

Stores collected request and attack information.

Email Service

Delivers alert notifications to the administrator.

Administrator

Receives alerts and monitors the honeypot system.


Flowchart Diagram

Flowchart Diagram


Purpose

The purpose of this flowchart is to describe the operational workflow of the WISETrap honeypot system and demonstrate how suspicious requests are detected, processed, logged, and reported using deception-based security techniques.


Notes

  • The system only logs suspicious activity.
  • All request data is stored securely.
  • Alerts are sent in real time.
  • The administrator continuously monitors the honeypot environment.
  • The workflow is fully automated after detection.

Clone this wiki locally