Advanced Honeypot with SIEM Integration
A high-interaction web honeypot that simulates vulnerable services and captures real attack patterns, integrated with Grafana, Loki, and Promtail for threat analysis.
About
This advanced honeypot project was my final project for the third year (B3) of my cybersecurity studies at Bordeaux Ynov Campus. It is a high-interaction web honeypot designed to simulate vulnerable services and capture sophisticated attack patterns in a controlled environment.
The honeypot is paired with a complete SIEM stack based on Grafana, Loki, and Promtail, enabling real-time log centralization and attack visualization. The full infrastructure runs on Proxmox VE using Docker containers for isolation and scalability.
Features
Simulated Vulnerabilities
- SQL Injection: Multiple injection points with varying complexity levels.
- Cross-Site Scripting (XSS): Reflected and stored XSS vulnerabilities.
- Remote Code Execution (RCE): Command injection simulation with sandboxed execution.
- Authentication Bypass: Weak credential systems and session management flaws.
- Directory Traversal: Path manipulation vulnerabilities.
Advanced Deception
- Fake Administrative Panels: Realistic login interfaces with credential harvesting.
- Hidden Endpoints: Discovery of secret paths through directory enumeration.
- Interactive Responses: Context-aware responses based on attack patterns.
SIEM Integration
- Structured JSON Logging: Rich metadata capture including IP geolocation and request fingerprints.
- Real-time Log Streaming: Promtail integration for immediate log forwarding.
- Custom Grafana Dashboards: Real-time attack monitoring with geographic visualization.
- Attack Pattern Recognition: Automated detection of common attack signatures.
Architecture
The project uses a containerized architecture with these components:
- Honeypot Engine: Built with Python Flask for lightweight and extensible web services.
- Grafana: Real-time dashboards and attack visualization.
- Loki: Centralized log aggregation and storage.
- Promtail: Log collection and forwarding agent.
- Docker: Containerized deployment for complete isolation.
All services communicate through a dedicated Docker network, ensuring security isolation while keeping realistic attack scenarios.
Project Goals
- Analyze real-world attack techniques in a controlled and safe environment.
- Practice defensive security concepts through hands-on SIEM implementation.
- Learn log correlation and threat intelligence through practical experience.
- Build a modular and scalable honeypot platform for cybersecurity education.
Skills Developed
This project significantly improved my skills across several domains:
- Defensive Security: Understanding attacker methodologies through practical analysis.
- SIEM Architecture: Hands-on experience with enterprise-grade monitoring solutions.
- Container Security: Docker deployment and isolation best practices.
- Threat Intelligence: Pattern recognition and attack attribution techniques.
- Log Analysis: Advanced querying and correlation with LogQL.
Clone The Project
git clone https://github.com/Telooss/PROJET-B3-CYBER.git
Deploy The Honeypot
cd PROJET-B3-CYBER ; docker-compose up -d
# Access services:
# Honeypot: http://localhost:5000
# Grafana: http://localhost:3000
Future Improvements
Some ideas for future enhancements:
- Machine Learning Integration: Automated attack pattern recognition using ML models.
- Multi-Protocol Support: Beyond HTTP to include SSH, FTP, and other services.
- Cloud Deployment: Native support for AWS, Azure, and GCP.
- API Integration: REST API for programmatic access to honeypot data.
Conclusion
This project helped me understand both attacker behavior and defensive monitoring through a practical approach. It gave me valuable experience in SIEM operations, threat hunting, and security engineering.