Also see https://github.com/jpegleg/honey-cycle The honey-cycle daemon cleans up after net-gargoyle2 and also collects pcaps.
Track IP addresses and connection state changes along with running processes.
A basic HIDS component and/or honeypot that stores data in the working directory of the exeution to gargoyle.db, an sqlite3 database file.
The intent is to be a minimal set of functions and structures for a transactional-at-change local blockchain, bassed on active network connections and running processes, and hashes of those outputs.
sudo bash ./install
net-gargoyle
systemctl start net-gargoyle
systemctl stop net-gargoyle
kill-netg
reportIps
If you have or estblish a hash that is an expected state you want to remember it can go in /etc/normstate.cfg
To run with STDOUT log, rather than use net-gargoyle, call net_mon.py directly with arguments like so:
cd /opt/net-gargoyle/workspace
source ngvenv/bin/activate
python3 net_mon.py 1 $(cat /etc/normstate.cfg || echo -n NOTSET)
cd /opt/net-gargoyle/workspace
source ngvenv/bin/activate
python3 net_check.py | less -S
The file $PWD/gargoyle.json for net_mon.py contains byte size integers for configuring the maximum size of the gargoyle.db during runtime and during startup.
Example default gargoyle.json set to 500 MB for both values:
{
"MAXSTARTSIZE": "500000000",
"MAXRUNSIZE": "500000000"
}
When the gargoyle.db is rotated at start up or run time because it hit a limit, a copy is made in /opt/net-gargoyle/ The files start with g_ and contain a timestamp.