{"id":21195510,"url":"https://github.com/0x4d31/galah","last_synced_at":"2025-04-08T08:11:25.517Z","repository":{"id":214929768,"uuid":"737647437","full_name":"0x4D31/galah","owner":"0x4D31","description":"Galah: An LLM-powered web honeypot.","archived":false,"fork":false,"pushed_at":"2024-10-20T01:43:32.000Z","size":1429,"stargazers_count":520,"open_issues_count":6,"forks_count":46,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-01T05:33:58.127Z","etag":null,"topics":["golang","honeypot","llm","openai","openai-api","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x4D31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-31T22:51:12.000Z","updated_at":"2025-03-30T04:22:16.000Z","dependencies_parsed_at":"2024-01-01T08:54:03.325Z","dependency_job_id":"e83129e3-ee05-45a0-bf54-0fd98a045e39","html_url":"https://github.com/0x4D31/galah","commit_stats":null,"previous_names":["0x4d31/galah"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Fgalah","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Fgalah/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Fgalah/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Fgalah/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x4D31","download_url":"https://codeload.github.com/0x4D31/galah/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247801154,"owners_count":20998338,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","honeypot","llm","openai","openai-api","security","security-tools"],"created_at":"2024-11-20T19:28:35.860Z","updated_at":"2025-04-08T08:11:25.499Z","avatar_url":"https://github.com/0x4D31.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg align=\"left\" src=\"docs/images/galah.png\" width=\"200px\"\u003e\n\nTL;DR: Galah (/ɡəˈlɑː/ - pronounced ‘guh-laa’) is an LLM-powered web honeypot designed to mimic various applications and dynamically respond to arbitrary HTTP requests. Galah supports major LLM providers, including OpenAI, GoogleAI, GCP's Vertex AI, Anthropic, Cohere, and Ollama.\n\nUnlike traditional web honeypots that manually emulate specific web applications or vulnerabilities, Galah dynamically crafts relevant responses—including HTTP headers and body content—to any HTTP request. Responses generated by the LLM are cached for a configurable period to prevent repetitive generation for identical requests, reducing API costs. The caching is port-specific, ensuring that responses generated for a particular port will not be reused for the same request on a different port.\n\nThe prompt configuration is key in this honeypot. While you can update the prompt in the configuration file, it is crucial to maintain the segment directing the LLM to produce responses in the specified JSON format.\n\n\u003e **Note:** Galah was developed as a fun weekend project to explore the capabilities of LLMs in crafting HTTP messages and is not intended for production use. The honeypot may be identifiable through various methods such as network fingerprinting techniques, prolonged response times depending on the LLM provider and model, and non-standard responses. To protect against Denial of Wallet attacks, be sure to **set usage limits on your LLM API**.\n\n## Getting Started\n\n### Local Deployment\n\n- Ensure you have Go version 1.22+ installed.\n- Depending on your LLM provider, create an API key (e.g., from [here](https://platform.openai.com/api-keys) for OpenAI and [here](https://aistudio.google.com/app/apikey) for GoogleAI Studio) or set up authentication credentials (e.g., Application Default Credentials for GCP's Vertex AI).\n- If you want to serve HTTPS ports, generate TLS certificates.\n- Clone the repo and install the dependencies.\n- Update the `config.yaml` file if needed.\n- Build and run the Go binary!\n\n```bash\n% git clone git@github.com:0x4D31/galah.git\n% cd galah\n% go mod download\n% go build -o galah ./cmd/galah\n% export LLM_API_KEY=your-api-key\n% ./galah --help\n\n ██████ █████ ██ █████ ██ ██ \n██ ██ ██ ██ ██ ██ ██ ██ \n██ ███ ███████ ██ ███████ ███████ \n██ ██ ██ ██ ██ ██ ██ ██ ██ \n ██████ ██ ██ ███████ ██ ██ ██ ██ \n llm-based web honeypot // version 1.0\n author: Adel \"0x4D31\" Karimi\n\nUsage: galah --provider PROVIDER --model MODEL [--server-url SERVER-URL] [--temperature TEMPERATURE] [--api-key API-KEY] [--cloud-location CLOUD-LOCATION] [--cloud-project CLOUD-PROJECT] [--interface INTERFACE] [--config-file CONFIG-FILE] [--event-log-file EVENT-LOG-FILE] [--cache-db-file CACHE-DB-FILE] [--cache-duration CACHE-DURATION] [--log-level LOG-LEVEL]\n\nOptions:\n --provider PROVIDER, -p PROVIDER\n LLM provider (openai, googleai, gcp-vertex, anthropic, cohere, ollama) [env: LLM_PROVIDER]\n --model MODEL, -m MODEL\n LLM model (e.g. gpt-3.5-turbo-1106, gemini-1.5-pro-preview-0409) [env: LLM_MODEL]\n --server-url SERVER-URL, -u SERVER-URL\n LLM Server URL (required for Ollama) [env: LLM_SERVER_URL]\n --temperature TEMPERATURE, -t TEMPERATURE\n LLM sampling temperature (0-2). Higher values make the output more random [default: 1, env: LLM_TEMPERATURE]\n --api-key API-KEY, -k API-KEY\n LLM API Key [env: LLM_API_KEY]\n --cloud-location CLOUD-LOCATION\n LLM cloud location region (required for GCP's Vertex AI) [env: LLM_CLOUD_LOCATION]\n --cloud-project CLOUD-PROJECT\n LLM cloud project ID (required for GCP's Vertex AI) [env: LLM_CLOUD_PROJECT]\n --interface INTERFACE, -i INTERFACE\n interface to serve on\n --config-file CONFIG-FILE, -c CONFIG-FILE\n Path to config file [default: config/config.yaml]\n --event-log-file EVENT-LOG-FILE, -o EVENT-LOG-FILE\n Path to event log file [default: event_log.json]\n --cache-db-file CACHE-DB-FILE, -f CACHE-DB-FILE\n Path to database file for response caching [default: cache.db]\n --cache-duration CACHE-DURATION, -d CACHE-DURATION\n Cache duration for generated responses (in hours). Use 0 to disable caching, and -1 for unlimited caching (no expiration). [default: 24]\n --log-level LOG-LEVEL, -l LOG-LEVEL\n Log level (debug, info, error, fatal) [default: info]\n --help, -h display this help and exit\n```\n\n### Run in Docker\n\n- Ensure you have Docker CE or EE installed locally.\n- Clone the repo and build the docker image.\n- You can mount a local directory to the container to store the logs.\n- Run the docker container.\n\n```bash\n% git clone git@github.com:0x4D31/galah.git\n% cd galah\n% mkdir logs\n% export LLM_API_KEY=your-api-key\n% docker build -t galah-image .\n% docker run -d --name galah-container -p 8080:8080 -v $(pwd)/logs:/galah/logs -e LLM_API_KEY galah-image -o logs/galah.json -p openai -m gpt-3.5-turbo-1106\n```\n\n## Example Usage\n\n```bash\n./galah -p gcp-vertex -m gemini-1.0-pro-002 --cloud-project galah-test --cloud-location us-central1 --temperature 0.2 --cache-duration 0\n```\n\n```\n% curl -i http://localhost:8080/.aws/credentials\nHTTP/1.1 200 OK\nDate: Sun, 26 May 2024 16:37:26 GMT\nContent-Length: 116\nContent-Type: text/plain; charset=utf-8\n\n[default]\naws_access_key_id = AKIAIOSFODNN7EXAMPLE\naws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n```\n\nJSON event log:\n```\n{\n \"eventTime\": \"2024-05-26T18:37:26.742418+02:00\",\n \"httpRequest\": {\n \"body\": \"\",\n \"bodySha256\": \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\n \"headers\": \"User-Agent: [curl/7.71.1], Accept: [*/*]\",\n \"headersSorted\": \"Accept,User-Agent\",\n \"headersSortedSha256\": \"cf69e186169279bd51769f29d122b07f1f9b7e51bf119c340b66fbd2a1128bc9\",\n \"method\": \"GET\",\n \"protocolVersion\": \"HTTP/1.1\",\n \"request\": \"/.aws/credentials\",\n \"userAgent\": \"curl/7.71.1\"\n },\n \"httpResponse\": {\n \"headers\": {\n \"Content-Length\": \"127\",\n \"Content-Type\": \"text/plain\"\n },\n \"body\": \"[default]\\naws_access_key_id = AKIAIOSFODNN7EXAMPLE\\naws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\\n\"\n },\n \"level\": \"info\",\n \"llm\": {\n \"model\": \"gemini-1.0-pro-002\",\n \"provider\": \"gcp-vertex\",\n \"temperature\": 0.2\n },\n \"msg\": \"successfulResponse\",\n \"port\": \"8080\",\n \"sensorName\": \"mbp.local\",\n \"srcHost\": \"localhost\",\n \"srcIP\": \"::1\",\n \"srcPort\": \"51725\",\n \"tags\": null,\n \"time\": \"2024-05-26T18:37:26.742447+02:00\"\n}\n```\n\nSee more examples [here](docs/EXAMPLES.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4d31%2Fgalah","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x4d31%2Fgalah","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4d31%2Fgalah/lists"}