Go Honeypot Overview
A lightweight, pragmatic honeypot written in Go for collecting telemetry from network scanners and simple automated attacks.
This repository contains a single-file honeypot implementation designed for fast deployment on a workstation or VM. It combines passive packet capture with basic TCP/UDP listeners, simple service emulation (banners), and heuristic-based detection. The honeypot never executes incoming payloads — it analyzes, hashes, and stores metadata only.
Advantages
Low friction deployment
Single binary, minimal dependencies, easy to build and run.
Hybrid telemetry
Active listeners (TCP/UDP) + passive pcap capture on a network interface — gives broader visibility into attacker behaviour.
Focused on data collection
Hashes and metadata stored, with optional Elasticsearch bulk ingestion for later analysis.
Safety-first design
No execution of payloads, truncation of large payloads, and signature-based filtering to avoid accidental exploitation.
Respectful coexistence
Attempts to bind configured ports but will not hijack ports where real services are already running.
Runtime admin console
Simple stdin-based commands for status, graceful shutdown and ad-hoc logging.
Features
- Listening on configurable TCP and UDP ports
- Passive pcap capture with gopacket when an interface is specified
- Heuristic-based scan detection with sliding time window analysis
- Signature checks for common RCE/payload patterns and simple binary heuristics
- In-memory blocklist with configurable TTL and optional firewall insertion
- Elasticsearch bulk logging with fallback to stdout/file
- Sturdy, minimal runtime administration via stdin
Quick Start
Build
go build -o honeypot main.go
Example config.json
{
"interface": "",
"ports": [22, 80, 443, 12345],
"log_file": "honeypot.log",
"snaplen": 65535,
"promisc": true,
"timeout_ms": 500,
"elastic_url": "http://127.0.0.1:9200",
"elastic_index": "honeypot",
"max_payload": 4096,
"scan_window_s": 30,
"scan_port_thresh": 10
}Run
./honeypot -config config.json
Configuration Parameters
Usage Notes and Recommendations
Important Security Notes
- Run the binary with appropriate privileges if you expect to bind to low ports or insert firewall rules
- If using pcap on Linux, ensure the running user has permission to capture packets (CAP_NET_RAW) or run as root
- Tune scan_window_s and scan_port_thresh to match your environment
Runtime Commands
While running, the process accepts simple stdin commands:
status— emits a runtime status event to logsq/quit/exit— graceful shutdown
Limitations and Trade-offs
Not a full IDS/IPS
Designed for telemetry and deception, not for replacing production-grade IDS solutions
Heuristic blind spots
Advanced scanners and evasion techniques will likely bypass simple heuristics
Resource considerations
Under extreme load, this can exhaust system resources
Blocklist persistence
Default blocklist is in-memory and expires (default TTL 10 minutes)
Extension Ideas
Active deception module
After detecting a scanner, serve progressively more detailed fake data to entice the scanner to reveal tools/behaviour
Persistent blocklist
Integrate with local firewall or external blocklist service for long-term blocking
Sandboxed payload analysis
Capture suspicious payloads and forward them to an isolated sandbox for deeper inspection
Protocol emulation plugins
Simple emulators for HTTP, FTP, SSH that provide richer telemetry
Security Considerations
Never run this honeypot on a host with sensitive services unless you fully isolate it (separate VM, strict firewall rules)
Do not forward captured payload contents to untrusted systems; store only metadata and hashes when possible
Be mindful of legal and ethical boundaries when interacting with third-party scanners and hosts