Simple (under 90 loc), yet functional honeypot with syslog and file-based logging.
yahpot.py [-h] [-t {http,https}] [-d DECOY] [-f FILE] [-l LOG] [-p PORT] [-k KEYFILE] [-c CERTFILE]
Http server on port 8080 with apache2 welcome page, logging to yahpotlog:
yahpot.py -t http -d apache2/localhost/index.html -l yahpot.log -p 8080
Https server on port 443 with apache2 welcome page, logging to /var/log/syslog:
yahpot.py -t https -d apache2/localhost/index.html -l syslog -k key.pem -c cert.pem
In queries directory there are few KQL (Kusto Query Language) queries I'm using for analyzing Yahpot logs in Microsoft Sentinel.
Directory tools contains useful scripts for parsing Yahpot log files and more.
Parsing Yahpot logs and sending malicious IP IOC to OTX. Local sqlite3 database is created to keep track of parsed ip addresses.
If pulse doesn't exist, it will be created.
Be aware that in order to use yah2otx you need to set environment variable OTX_API_KEY for Open Threat eXchange access.
yah2otx.py [-h] -l {syslog,ylog} logfile pulse
Parse syslog file and upload IOCs to pulse named Web hits:
yah2otx.py -l syslog /var/log/syslog "Web hits"
Parse yahpotlog file and upload IOCs to pulse named New web hits:
yah2otx.py -l ylog yahpot.log "New web hits"