The ravenous and greedy one.
Freki is a tool for manipulating packets in userspace. Using iptable's raw table, packets are routed down into userspace where freki takes over. A set of rules is applied allowing for a large amount of flexibility. For example, you can forward all TCP ports to an HTTP honeypot and log the requests. Or you can proxy TCP port 22 into a docker container running an ssh honeypot.
There are currently two builtin loggers:
log_tcp: reads up to 1024 bytes from the connection, and then closes it.
log_http: sends a 200 OK back on every request.
Additionally, there are three mangling behaviors:
rewrite: Rewrites the incoming packet's destination port
proxy: Creates a TCP proxy for the connection to the specified target (can be an IP address, host name, or docker container)
user_conn: When using freki as a library, invoke a user-specified
callback with a
$ ./bin/freki --help Usage: freki [options] [-v ...] -i=<interface> -r=<rules> freki -h | --help | --version Options: -i --interface=<iface> Bind to this interface. -r --rules=<rules> Rules file. -h --help Show this screen. --version Show version. -v Enable verbose logging (-vv for very verbose)
requires: go 1.7+, libnetfilter-queue-dev>=1.0.0, libpcap-dev, iptables-dev
Rules are applied in order (top down) and stop after a match is found. The
match field (required) is written using BPF filter syntax. Note: not all filters may apply. For example, the ethernet src and dst headers are generally zero'd out.
rules: # allow packets from your machine (188.8.131.52) to reach your ssh server - match: tcp dst port 22 and src host 184.108.40.206 type: passthrough # send all tcp coming in on 10022 to 22 - match: tcp dst port 10022 type: rewrite target: 22 # proxy all packets coming in on 6379 on to a container named 'redis' (must exist at the time freki starts) - match: tcp dst port 6379 type: proxy target: docker://redis:6379 # proxy all packets coming in on 666 out to portquiz.net:666 - match: tcp dst port 666 type: proxy target: tcp://portquiz.net:666 # log http requests on 80 and 8080 - match: tcp port 80 or tcp port 8080 type: log_http # pass connections on 7000 through 8000 to a registered handler called 'echo' - match: tcp portrange 7000-8000 type: conn_handler target: echo # drop (no FIN, nothing!) - match: tcp portrange 5000-5010 type: drop # forward all remaining tcp packets to a tcp logger. grabs 1024 bytes and then closes. - match: tcp type: log_tcp - match: type: passthrough
If freki hangs or panics, it may leave two iptables rules in place.
The simple fix is:
sudo iptables -t raw -F.
freki is distributed under the terms of the MIT License.