- Delilah – Elasticsearch Honeypot written in Python (originally from Novetta).
- ESPot – Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
- Elastic honey – Simple Elasticsearch Honeypot.
- HoneyMysql – Simple Mysql honeypot project.
- MongoDB-HoneyProxy – MongoDB honeypot proxy.
- MongoDB-HoneyProxyPy – MongoDB honeypot proxy by python3.
- NoSQLpot – Honeypot framework built on a NoSQL-style database.
- mysql-honeypotd – Low interaction MySQL honeypot written in C.
- MysqlPot – MySQL honeypot, still very early stage.
- pghoney – Low-interaction Postgres Honeypot.
- sticky_elephant – Medium interaction postgresql honeypot.
- Bukkit Honeypot – Honeypot plugin for Bukkit.
- EoHoneypotBundle – Honeypot type for Symfony2 forms.
- Glastopf – Web Application Honeypot.
- Google Hack Honeypot – Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
- Laravel Application Honeypot – Simple spam prevention package for Laravel applications.
- Nodepot – NodeJS web application honeypot.
- Servletpot – Web application Honeypot.
- Shadow Daemon – Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
- StrutsHoneypot – Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
- WebTrap – Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
- basic-auth-pot (bap) – HTTP Basic Authentication honeypot.
- bwpot – Breakable Web applications honeyPot.
- django-admin-honeypot – Fake Django admin login screen to notify admins of attempted unauthorized access.
- drupo – Drupal Honeypot.
- honeyhttpd – Python-based web server honeypot builder.
- phpmyadmin_honeypot – Simple and effective phpMyAdmin honeypot.
- shockpot – WebApp Honeypot for detecting Shell Shock exploit attempts.
- smart-honeypot – PHP Script demonstrating a smart honey pot.
- Snare/Tanner – successors to Glastopf
- stack-honeypot – Inserts a trap for spam bots into responses.
- tomcat-manager-honeypot – Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker’s WAR file for later study
- WordPress honeypots
- ADBHoney – Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.
- AMTHoneypot – Honeypot for Intel’s AMT Firmware Vulnerability CVE-2017-5689.
- Ensnare – Easy to deploy Ruby honeypot.
- HoneyPy – Low interaction honeypot.
- Honeygrove – Multi-purpose modular honeypot based on Twisted.
- Honeyport – Simple honeyport written in Bash and Python.
- Honeyprint – Printer honeypot.
- Lyrebird – Modern high-interaction honeypot framework.
- MICROS honeypot – Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
- RDPy – Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
- SMB Honeypot – High interaction SMB service honeypot capable of capturing wannacry-like Malware.
- Tom’s Honeypot – Low interaction Python honeypot.
- WebLogic honeypot – Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
- WhiteFace Honeypot – Twisted based honeypot for WhiteFace.
- honeycomb_plugins – Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
- honeyntp – NTP logger/honeypot.
- honeypot-camera – Observation camera honeypot.
- honeypot-ftp – FTP Honeypot.
- honeytrap – Advanced Honeypot framework written in Go that can be connected with other honeypot software.
- pyrdp – RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.
- troje – Honeypot that runs each connection with the service within a seperate LXC container.
- DemonHunter – Low interaction honeypot server.
- kippo_detect – Offensive component that detects the presence of the kippo honeypot.
- Conpot – ICS/SCADA honeypot.
- GasPot – Veeder Root Gaurdian AST, common in the oil and gas industry.
- SCADA honeynet – Building Honeypots for Industrial Networks.
- gridpot – Open source tools for realistic-behaving electric grid honeynets.
- scada-honeynet – Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.
- Damn Simple Honeypot (DSHP) – Honeypot framework with pluggable handlers.
- NOVA – Uses honeypots as detectors, looks like a complete system.
- OpenFlow Honeypot (OFPot) – Redirects traffic for unused IPs to a honeypot, built on POX.
- OpenCanary – Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.
- ciscoasa_honeypot A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
- miniprint – A medium interaction printer honeypot.
- Botnet C2 tools
IPv6 attack detection tool
- ipv6-attack-detector – Google Summer of Code 2012 project, supported by The Honeynet Project organization.
Dynamic code instrumentation toolkit
Tool to convert website to server honeypots
- HIHAT – Transform arbitrary PHP applications into web-based high-interaction Honeypots.
- Kippo-Malware – Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.
Distributed sensor deployment
- Modern Honey Network – Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
Network Analysis Tool
- Tracexploit – Replay network packets.
- LogAnon – Log anonymization library that helps having anonymous logs consistent between logs and network captures.
- Low interaction honeypot (router back door)
honeynet farm traffic redirector
- Honeymole – Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.
- mitmproxy – Allows traffic flows to be intercepted, inspected, modified, and replayed.
- System instrumentation
Honeypot for USB-spreading malware
- Ghost-usb – Honeypot for malware that propagates via USB storage devices.
- Data Collection
Passive network audit framework parser
- Passive Network Audit Framework (pnaf) – Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.
- VM monitoring and tools
- Binary debugger
- Mobile Analysis Tool
- Low interaction honeypot
Honeynet data fusion
- HFlow2 – Data coalesing tool for honeynet/network analysis.
- Amun – Vulnerability emulation honeypot.
- Artillery – Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
- Bait and Switch – Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
- Bifrozt – Automatic deploy bifrozt with ansible.
- Conpot – Low interactive server side Industrial Control Systems honeypot.
- Heralding – Credentials catching honeypot.
- HoneyWRT – Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
- Honeyd – See honeyd tools.
- Honeysink – Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
- Hontel – Telnet Honeypot.
- KFSensor – Windows based honeypot Intrusion Detection System (IDS).
- LaBrea – Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
- MTPot – Open Source Telnet Honeypot, focused on Mirai malware.
- SIREN – Semi-Intelligent HoneyPot Network – HoneyNet Intelligent Virtual Environment.
- TelnetHoney – Simple telnet honeypot.
- UDPot Honeypot – Simple UDP/DNS honeypot scripts.
- Yet Another Fake Honeypot (YAFH) – Simple honeypot written in Go.
- arctic-swallow – Low interaction honeypot.
- glutton – All eating honeypot.
- go-HoneyPot – Honeypot server written in Go.
- go-emulators – Honeypot Golang emulators.
- honeymail – SMTP honeypot written in Golang.
- honeytrap – Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
- imap-honey – IMAP honeypot written in Golang.
- mwcollectd – Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
- potd – Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
- portlurker – Port listener in Rust with protocol guessing and safe string display.
- slipm-honeypot – Simple low-interaction port monitoring honeypot.
- telnet-iot-honeypot – Python telnet honeypot for catching botnet binaries.
- telnetlogger – Telnet honeypot designed to track the Mirai botnet.
- vnclowpot – Low interaction VNC honeypot.
IDS signature generation
- Honeycomb – Automated signature creation using honeypots.
Lookup service for AS-numbers and prefixes
- CC2ASN – Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.
- Data Collection / Data Sharing
Central management tool
- PHARM – Manage, report, and analyze your distributed Nepenthes instances.
Network connection analyzer
- Impost – Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.
- Modern Honeynet Network – Streamlines deployment and management of secure honeypots.
Honeypot extensions to Wireshark
- Whireshark Extensions – Apply Snort IDS rules and signatures against packet capture files using Wireshark.
- CWSandbox / GFI Sandbox
- Capture-HPC – High interaction client honeypot (also called honeyclient).
- HoneySpider Network – Highly-scalable system integrating multiple client honeypots to detect malicious websites.
- HoneyWeb – Web interface created to manage and remotely share Honeyclients resources.
- PhoneyC – Python honeyclient (later replaced by Thug).
- Pwnypot – High Interaction Client Honeypot.
- Rumal – Thug’s Rumāl: a Thug’s dress and weapon.
- Shelia – Client-side honeypot for attack detection.
- Thug – Python-based low-interaction honeyclient.
- Thug Distributed Task Queuing
- YALIH (Yet Another Low Interaction Honeyclient) – Low-interaction client honeypot designed to detect malicious websites through signature, anomaly, and pattern matching techniques.
PDF document inspector
- peepdf – Powerful Python tool to analyze PDF documents.
- Hybrid low/high interaction honeypot
- Blacknet – Multi-head SSH honeypot system.
- Cowrie – Cowrie SSH Honeypot (based on kippo).
- DShield docker – Docker container running cowrie with DShield output enabled.
- HonSSH – Logs all SSH communications between a client and server.
- HUDINX – Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
- Kippo – Medium interaction SSH honeypot.
- Kippo_JunOS – Kippo configured to be a backdoored netscreen.
- Kojoney2 – Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
- Kojoney – Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
- LongTail Log Analysis @ Marist College – Analyzed SSH honeypot logs.
- Malbait – Simple TCP/UDP honeypot implemented in Perl.
- MockSSH – Mock an SSH server and define all commands it supports (Python, Twisted).
- cowrie2neo – Parse cowrie honeypot logs into a neo4j database.
- go-sshoney – SSH Honeypot.
- go0r – Simple ssh honeypot in Golang.
- gohoney – SSH honeypot written in Go.
- hived – Golang-based honeypot.
- hnypots-agent) – SSH Server in Go that logs username and password combinations.
- honeypot.go – SSH Honeypot written in Go.
- honeyssh – Credential dumping SSH honeypot with statistics.
- hornet – Medium interaction SSH honeypot that supports multiple virtual hosts.
- ssh-auth-logger – Low/zero interaction SSH authentication logging honeypot.
- ssh-honeypot – Fake sshd that logs IP addresses, usernames, and passwords.
- ssh-honeypot – Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
- ssh-honeypotd – Low-interaction SSH honeypot written in C.
- sshForShits – Framework for a high interaction SSH honeypot.
- sshesame – Fake SSH server that lets everyone in and logs their activity.
- sshhipot – High-interaction MitM SSH honeypot.
- sshlowpot – Yet another no-frills low-interaction SSH honeypot in Go.
- sshsyrup – Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.
- twisted-honeypots – SSH, FTP and Telnet honeypots based on Twisted.
- Distributed sensor project
- A pcap analyzer
- Network traffic redirector
- Honeypot Distribution with mixed content
- Honeeepi – Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.
- File carving
- Behavioral analysis tool for win32
- DAVIX – The DAVIX Live CD.
- Mail::SMTP::Honeypot – Perl module that appears to provide the functionality of a standard SMTP server.
- Mailoney – SMTP honeypot, Open Relay, Cred Harvester written in python.
- SendMeSpamIDS.py – Simple SMTP fetch all IDS and analyzer.
- Shiva – Spam Honeypot with Intelligent Virtual Analyzer.
- SpamHAT – Spam Honeypot Tool.
- honeypot – The Project Honey Pot un-official PHP SDK.
- Cymmetria Mazerunner – Leads attackers away from real targets and creates a footprint of the attack.
- Server (Bluetooth)
- Dynamic analysis of Android apps
Dockerized Low Interaction packaging
- Docker honeynet – Several Honeynet tools set up for Docker containers.
- Dockerized Thug – Dockerized Thug to analyze malicious web content.
- Dockerpot – Docker based honeypot.
- Manuka – Docker based honeypot (Dionaea and Kippo).
- mhn-core-docker – Core elements of the Modern Honey Network implemented in Docker.
- Network analysis
- SIP Server
- IOT Honeypot
- CanaryTokens – Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
- Honeybits – Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
- Honeyλ (HoneyLambda) – Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
- dcept – Tool for deploying and detecting use of Active Directory honeytokens.
- honeyku – Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).
- Honeyd plugin
- Honeyd viewer
- Honeyd to MySQL connector
- A script to visualize statistics from honeyd
- Honeyd stats
Network and Artifact Analysis
- Argos – Emulator for capturing zero-day attacks.
- COMODO automated sandbox
- Cuckoo – Leading open source automated malware analysis system.
- Pylibemu – Libemu Cython wrapper.
- RFISandbox – PHP 5.x script sandbox built on top of funcall.
- dorothy2 – Malware/botnet analysis framework written in Ruby.
- imalse – Integrated MALware Simulator and Emulator.
- libemu – Shellcode emulation library, useful for shellcode detection.
- Hybrid Analysis – Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
- Joebox Cloud – Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
- VirusTotal – Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
- malwr.com – Free malware analysis service and community.
- DionaeaFR – Front Web to Dionaea low-interaction honeypot.
- Django-kippo – Django App for kippo SSH Honeypot.
- Shockpot-Frontend – Full featured script to visualize statistics from a Shockpot honeypot.
- Tango – Honeypot Intelligence with Splunk.
- Wordpot-Frontend – Full featured script to visualize statistics from a Wordpot honeypot.
- honeyalarmg2 – Simplified UI for showing honeypot alarms.
- honeypotDisplay – Flask website which displays data gathered from an SSH Honeypot.
- Acapulco – Automated Attack Community Graph Construction.
- Afterglow Cloud
- Glastopf Analytics – Easy honeypot statistics.
- HoneyMalt – Maltego tranforms for mapping Honeypot systems.
- HoneyMap – Real-time websocket stream of GPS events on a fancy SVG world map.
- HoneyStats – Statistical view of the recorded activity on a Honeynet.
- HpfeedsHoneyGraph – Visualization app to visualize hpfeeds logs.
- Kippo stats – Mojolicious app to display statistics for your kippo SSH honeypot.
- Kippo-Graph – Full featured script to visualize statistics from a Kippo SSH honeypot.
- The Intelligent HoneyNet – Create actionable information from honeypots.
- ovizart – Visual analysis for network traffic.
- T-Pot: A Multi-Honeypot Platform
- Honeypot (Dionaea and kippo) setup script
- Dionaea and EC2 in 20 Minutes – Tutorial on setting up Dionaea on an EC2 instance.
- Using a Raspberry Pi honeypot to contribute data to DShield/ISC – The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
- honeypotpi – Script for turning a Raspberry Pi into a HoneyPot Pi.
- Research Papers