Snare - Super Next Generation Advanced Reactive honEypot


snare - Super Next generation Advanced Reactive honEypot

Super Next generation Advanced Reactive honEypot

About
SNARE is a web application honeypot sensor attracting all sort of maliciousness from the Internet.

Documentation
The documentation can be found here.

Basic Concepts
  • Surface first. Focus on the attack surface generation.
  • Sensors and masters. Lightweight collectors (SNARE) and central decision maker (tanner).

Getting started
  • You need Python3. We tested primarily with >=3.5
  • This was tested with a recent Ubuntu based Linux.

Steps to setup
  1. Get SNARE: git clone https://github.com/mushorg/snare.git and cd snare
  2. Install requirements: sudo pip3 install -r requirements.txt
  3. Setup snare: sudo python3 setup.py install
  4. Clone a page: sudo clone --target http://example.com
  5. Run SNARE: sudo snare --port 8080 --page-dir example.com
  6. Test: Visit http://localhost:8080/index.html
  7. (Optionally) Have your own tanner service running.

Docker build instructions
  1. Change current directory to snare project directory
  2. docker-compose build
  3. docker-compose up
More information about running docker-compose can be found here.
[Note : Cloner clones the whole website, to restrict to a desired depth of cloning add --max-depth parameter]
You obviously want to bind to 0.0.0.0 and port 80 when running in production.

Testing
In order to run the tests and receive a test coverage report, we recommend running pytest:
pip install pytest pytest-cov
sudo pytest --cov-report term-missing --cov=snare snare/tests/

Sample Output
    # sudo snare --port 8080 --page-dir example.com

_____ _ _____ ____ ______
/ ___// | / / | / __ \/ ____/
\__ \/ |/ / /| | / /_/ / __/
___/ / /| / ___ |/ _, _/ /___
/____/_/ |_/_/ |_/_/ |_/_____/


privileges dropped, running as "nobody:nogroup"
serving with uuid 9c10172f-7ce2-4fb4-b1c6-abc70141db56
Debug logs will be stored in /opt/snare/snare.log
Error logs will be stored in /opt/snare/snare.err
======== Running on http://127.0.0.1:8080 ========
(Press CTRL+C to quit)
you are running the latest version


Disqus Comments