search

telekom-security / tpotce

🍯 T-Pot - The All In One Multi Honeypot Platform 🐝
GNU General Public License v3.0
6.91k stars 1.09k forks source link

T-Pot installation types #782

Closed ScorpionKing34 closed 3 years ago

ScorpionKing34 commented 3 years ago

Dear developers,

I am doing research on honeypots and how to use them for building sensor rules to detect attacks and to graduate from University Business IT. I like to use T-Pot in a Proof of Concept environment. You wiki is easy to follow but I am trying to figure out what the goal/ purpose of each installation type is, but the wiki/readme does not provide the answer what I looking for. Can you please tell me what the goal/ purpose of the installation types is:

I see which tools are being use by different installation type. I hope to get an answer before 2 march. In the meantime I will search the internet for possible answer.

With kind regards from, ScorpionKing34

ehnwebmaster commented 3 years ago

Here's all the info: https://github.com/telekom-security/tpotce#installation-types

But I understand that for newbies is too much information and not everything is explained. T-Pot is really great but is "big" because is using a lot of honeypots types, that'ts why they let choose us wich do you want to run. Or wich services are you able to open ports and expose to internet (in case you're behind a router).

The different installation types just varies the honeypots are used.

Standard (8GB RAM) and Sensor (4GB) are pretty the same honeypots (just varies honeypy), but "sensor" doesn't show up the results via web gui (ELK: Elastic Search, Logstach and Kibana) for that reason requieres half RAM. And doesn't include two "extra" tools cyberchef and spiderfoot (those are not honeypots). Kibana is really nice graphic - interface, but consumes too much resources and ram, just depends the hardware (cpu, ram, disk) you can afford (no matter if is real hardware, virtual machine, etc).

Nexgen is exactly the same but uses glutton

Once installed, you can change the version (installation type) at any time runing:

sudo /opt/tpot/bin/tped.sh

Here is a list with the ports used byt every honeypot:

name (honeypot) --> port (service) tcp/upd

cowrie --> 22 (ssh) -23 (telnet) tcp mailoney --> 25 (smtp) tcp snare (tanner) --> 80 tcp citrixhoneypot --> 443 tcp rdpy --> 3389 (rdp) tcp dionaea --> 445 tcp (samba), 69 udp (tftp), 135 (rpc), 3306 (MySQL), 21 (ftp), 81, 1433 (SQL) heralding --> 110 (pop), 143 (imap), 993 (imaps), 995 (pop3s), 1080 (socks5), 5432 (PostgreSQL), 5900 (vnc) adbhoney -> 5555 (tcp) dicompot --> 11112 ciscoasa --> 5000/udp 8443 (tcp) Conpot IEC104 --> 161 udp (snmp) and 2404 Conpot guardian_ast --> 10001 Conpot ipmi --> 623 (udp) Conpot kamstrup_382 --> 1025 and 50100 HoneySAP --> 3299 Medpot --> 2575

Hope this helps.

ScorpionKing34 commented 3 years ago

Thanks for the information, but I am trying to find out why en when you should use Standard, Sensor, Industrial, Collector, NextGen and Medical installations. after every installation must be an idea behind it? For example, is the goal of Sensor installation to detect only attacks? or does it provide other goals?

With this information I can give well-founded advice to install and use a type of honeypot in mine report. I'll hope to hear from you soon and thanks for your time and effort.