IntelOwl icon indicating copy to clipboard operation
IntelOwl copied to clipboard
verified publisher icon intelowlproject

[Analyzer] Honeyscanner

Open mlodic opened this issue 11 months ago • 11 comments

Name

Honeyscanner

Link

https://github.com/honeynet/honeyscanner

Type of analyzer

IP

Why should we use it

cool scanner to test honeypots

Possible implementation

pip tlp:clear is required

mlodic avatar Feb 02 '25 15:02 mlodic

I would like to work on integrating Honeyscanner ([https://github.com/honeynet/honeyscanner]) as an IP analyzer.

Proposed Implementation:

  • Integration as IP-based analyzer
  • TLP:clear compliance
  • Honeypot detection capabilities

Technical Approach:

  • Implement under intel_owl/analyzers/
  • Use OnPremiseAnalyzer framework
  • IP scanning functionality

Looking forward to contributing to this project. Please assign this issue to me. @mlodic @drosetti

Ansh5748 avatar Feb 10 '25 01:02 Ansh5748

This issue has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates.

github-actions[bot] avatar Feb 26 '25 09:02 github-actions[bot]

Hi @fgibertoni, should we create a docker-based analyzer for this? Let me know what are your thoughts on this.

spoiicy avatar Jun 04 '25 14:06 spoiicy

I think that a docker based analyzer for this is too much. The ideal thing would be to have a pip package because it is just python but they didn't release any official version. I think we should fork the project, add all the related stuff to publish it (you can copy what we did in pyintelowl, mostly it is setting up the autopublish on release and add a proper setup.py. We'll need to add the PYPI_SECRET in that project so that it magically works.

Once done that, you can just create a normal analyzer, extract the commands from here, get the results in JSON format.

mlodic avatar Jun 04 '25 15:06 mlodic

Hi @mlodic and @fgibertoni,

In the process of integrating honeyscanner to Intelowl, I've refactored and ironed out the various issues and also created a pypi package.

But while installing it to Intelowl, I'm getting this version conflict with other dependencies

224.6 The conflict is caused by:
224.6     oletools 0.60.2 depends on pyparsing<4 and >=2.1.0
224.6     ioc-finder 7.0.0 depends on pyparsing<3.0 and >=2.4.7
224.6     honeyscanner 0.1.2 depends on pyparsing==3.1.2; python_full_version >= "3.6.8"

This is the excerpt from honeyscanner dependency tree.

boofuzz==0.4.2
├── attrs 
├── click 
├── colorama 
├── Flask 
│   ├── blinker 
│   ├── click 
│   ├── itsdangerous 
│   ├── Jinja2 
│   │   └── MarkupSafe 
│   └── Werkzeug 
│       └── MarkupSafe 
├── funcy 
├── psutil 
├── pydot 
│   └── pyparsing 
├── pyserial 
└── tornado

This makes it tough for downgrading the version of pyparsing. Shall we bump up the ioc-finder version to 7.3.0 as it accepts pyparsing version 3.1.1, which will resolve this dependency conflict?

spoiicy avatar Jun 12 '25 15:06 spoiicy

hey, sure! while you are there you can also soften the dependencies of hoenyscanner and try to see whether it works with >4 versions

mlodic avatar Jun 12 '25 15:06 mlodic

Hi @mlodic and @fgibertoni , is there a way we can scan observables on 127.0.0.1 as Intelowl raises an error citing "can't scan on loopback address". I tried hosting the honeypot over ec2 and scan it but the port scanning done by honeyscanner itself takes an eternity and therefore I am met with a SoftTimeLimitExceeded limit, which I've generously set 1800 seconds.

Let me know what are your thoughts on this.

spoiicy avatar Jun 13 '25 19:06 spoiicy

Hey @spoiicy, the error that you're mentioning is at IntelOwl or HoneyScanner level ? I can't find that specific log in the source code of neither projects. You can maybe also try with the nmap test scanning website to see if it works http://scanme.nmap.org/ I understand it's not the same thing but I think it should be enough for the purpose. Let us know when you finished testing 😃

fgibertoni avatar Jun 17 '25 05:06 fgibertoni

@fgibertoni, I think it's specific to Intelowl since I'm able to run honeyscanner on honeypot hosted over localhost. I've attached the screenshot, when the error is raised. Let me know if you want more info, in the meanwhile I'll take up another analyzers.

Also, I'd tried nmap scan earlier via cli and it got completed quickly, scanning any open ports for honeypot hosted on my ec2. I think the problem is with the implementation of scanning for open ports in honeyscanner, where it iteratively checks for open ports. Ref: https://github.com/honeynet/honeyscanner/blob/b35753fa6e6d4f9aeda69946a503afc8057e8830/honeyscanner/passive_attacks/honeypot_detector/detect_honeypot.py#L82C5-L122C26

Let me know what your thoughts

Error when 127.0.0.1 is selected

Image

spoiicy avatar Jun 17 '25 18:06 spoiicy

Ok I found your problem. The check you're getting is done in api_app/serializers/job.py:1056. If you temporarily comment the block of code you should be able to go with localhost address. I think you may have to set up ports in docker compose file to make IntelOwl and the honeypot on your machine talk.

Have you tried with the website that i posted previously ? It should be made to be scanned for use cases similar to this.

fgibertoni avatar Jun 19 '25 06:06 fgibertoni

This issue has been marked as stale because it has had no activity for 30 days. If you are still working on this, please provide some updates.

github-actions[bot] avatar Jul 21 '25 09:07 github-actions[bot]