{"id":31674990,"url":"https://github.com/batcherss/deception-detection-system-dds-","last_synced_at":"2026-05-14T20:31:10.548Z","repository":{"id":315083115,"uuid":"1058042154","full_name":"Batcherss/Deception-Detection-System-DDS-","owner":"Batcherss","description":"A hybrid Honeypot + IDS built in Go. DDS combines deception techniques to attract attackers with real-time detection to analyze their behavior. It logs malicious probes, scanning activity, and suspicious payloads without executing them, making it a safe, lightweight, and effective tool for research, blacklisting, and intrusion awareness.","archived":false,"fork":false,"pushed_at":"2025-09-16T16:03:12.000Z","size":44,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-16T16:47:00.622Z","etag":null,"topics":["antiexploit","effictive","elasticsearch","fast","honeypot","hybrid","ids","lightweight","port","safe","tool"],"latest_commit_sha":null,"homepage":"https://batcherss.github.io/ddswiki/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Batcherss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-16T14:43:25.000Z","updated_at":"2025-09-16T16:03:16.000Z","dependencies_parsed_at":"2025-09-16T16:47:02.753Z","dependency_job_id":"1e5bbdd6-8257-449e-b881-8d0aaf56643c","html_url":"https://github.com/Batcherss/Deception-Detection-System-DDS-","commit_stats":null,"previous_names":["batcherss/deception-detection-system-dds-"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Batcherss/Deception-Detection-System-DDS-","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Batcherss%2FDeception-Detection-System-DDS-","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Batcherss%2FDeception-Detection-System-DDS-/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Batcherss%2FDeception-Detection-System-DDS-/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Batcherss%2FDeception-Detection-System-DDS-/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Batcherss","download_url":"https://codeload.github.com/Batcherss/Deception-Detection-System-DDS-/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Batcherss%2FDeception-Detection-System-DDS-/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278891744,"owners_count":26063856,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antiexploit","effictive","elasticsearch","fast","honeypot","hybrid","ids","lightweight","port","safe","tool"],"created_at":"2025-10-08T04:58:34.761Z","updated_at":"2025-10-08T04:58:36.830Z","avatar_url":"https://github.com/Batcherss.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# README.md (English)  \r\n\r\n[Русская версия (Russian)](./README_ru.md)\r\n\r\n---\r\n\r\n# Go Honeypot\r\n\r\n**A lightweight, pragmatic honeypot written in Go for collecting telemetry from network scanners and simple automated attacks.**\r\n\r\nThis repository contains a single-file honeypot implementation designed for fast deployment on a workstation or VM. It combines passive packet capture with basic TCP/UDP listeners, simple service emulation (banners), and heuristic-based detection. The honeypot never executes incoming payloads — it analyzes, hashes, and stores metadata only.\r\n\r\n---\r\n\r\n## Advantages\r\n\r\n- **Low friction deployment**: single binary, minimal dependencies, easy to build and run.\r\n- **Hybrid telemetry**: active listeners (TCP/UDP) + passive pcap capture on a network interface — gives broader visibility into attacker behaviour.\r\n- **Focused on data collection**: hashes and metadata stored, with optional Elasticsearch bulk ingestion for later analysis.\r\n- **Safety-first design**: no execution of payloads, truncation of large payloads, and signature-based filtering to avoid accidental exploitation.\r\n- **Respectful coexistence**: attempts to bind configured ports but will not hijack ports where real services are already running.\r\n- **Simple in-memory defenses**: quick blocklist and best-effort `iptables` insertion to reduce noise and repeated probes.\r\n- **Runtime admin console**: simple stdin-based commands for status, graceful shutdown and ad-hoc logging.\r\n\r\n---\r\n\r\n## Features\r\n\r\n- Listening on configurable TCP and UDP ports.\r\n- Passive pcap capture with gopacket when an interface is specified.\r\n- Heuristic-based scan detection:\r\n  - Sliding time window analysis\r\n  - Distinct port threshold\r\n  - SYN-only rate detection\r\n  - Null-payload probe detection\r\n- Signature checks for common RCE/payload patterns and simple binary heuristics (NOP-sled, high non-ASCII ratio).\r\n- In-memory blocklist with configurable TTL and optional firewall insertion.\r\n- Elasticsearch bulk logging with fallback to stdout/file.\r\n- Sturdy, minimal runtime administration via stdin.\r\n\r\n---\r\n\r\n## Limitations and trade-offs\r\n\r\n- **Not a full IDS/IPS**: This project is designed for telemetry and deception, not for replacing production-grade IDS solutions.\r\n- **Heuristic blind spots**: Advanced scanners and evasion techniques (slow scans, randomization, obfuscation) will likely bypass simple heuristics.\r\n- **Resource considerations**: Each incoming connection or captured packet may spawn a goroutine. Under extreme load, this can exhaust system resources.\r\n- **Blocklist persistence**: The default blocklist is in-memory and expires (default TTL 10 minutes). For longer-term blocking, integrate with external firewall/blacklist.\r\n- **Platform differences**: `iptables` commands are Linux-specific; Windows users must rely on the in-memory blocklist and pcap behavior.\r\n\r\n---\r\n\r\n## Quick Start\r\n\r\n### Build\r\n\r\n```bash\r\ngo build -o honeypot main.go\r\n```\r\n\r\n### Example `config.json`\r\nEdit the interface , cause on Windows it's Ethernet, on Linux it's eth0\r\n```json\r\n{\r\n  \"interface\": \"\",\r\n  \"ports\": [22, 80, 443, 12345],\r\n  \"log_file\": \"honeypot.log\",\r\n  \"snaplen\": 65535,\r\n  \"promisc\": true,\r\n  \"timeout_ms\": 500,\r\n  \"elastic_url\": \"http://127.0.0.1:9200\",\r\n  \"elastic_index\": \"honeypot\",\r\n  \"max_payload\": 4096,\r\n  \"scan_window_s\": 30,\r\n  \"scan_port_thresh\": 10\r\n}\r\n```\r\n\r\n### Run\r\n\r\n```bash\r\n./honeypot -config config.json\r\n```\r\n\r\nWhile running, the process accepts simple stdin commands:\r\n- `status` — emits a runtime status event to logs\r\n- `q` / `quit` / `exit` — graceful shutdown\r\n- any other line is logged as `admin_cmd` for traceability\r\n\r\n---\r\n\r\n## Usage notes and recommendations\r\n\r\n- Run the binary with appropriate privileges if you expect to bind to low ports or insert firewall rules.\r\n- If using pcap on Linux, ensure the running user has permission to capture packets (CAP_NET_RAW) or run as root.\r\n- Tune `scan_window_s` and `scan_port_thresh` to match your environment; default values are conservative for small-scale testing.\r\n- Configure `elastic_url` to enable bulk logging; otherwise logs fall back to file/stdout.\r\n\r\n---\r\n\r\n## Extension ideas (non-exhaustive)\r\n\r\n- **Active deception module**: after detecting a scanner, serve progressively more detailed fake data to entice the scanner to reveal tools/behaviour.\r\n- **Persistent blocklist**: integrate with local firewall or external blocklist service for long-term blocking.\r\n- **Sandboxed payload analysis**: capture suspicious payloads and forward them to an isolated sandbox for deeper inspection (requires strict containment).\r\n- **Rate limiting and worker pool**: add bounded worker pools for connection handling to prevent resource exhaustion.\r\n- **Protocol emulation plugins**: simple emulators for HTTP, FTP, SSH that provide richer telemetry.\r\n\r\n---\r\n\r\n## Security considerations\r\n\r\n- Never run this honeypot on a host with sensitive services unless you fully isolate it (separate VM, strict firewall rules).\r\n- Do not forward captured payload contents to untrusted systems; store only metadata and hashes when possible.\r\n- Be mindful of legal and ethical boundaries when interacting with third-party scanners and hosts.\r\n\r\n---\r\n\r\n## License\r\n\r\n[MIT](./LICENSE)\r\n\r\n---\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbatcherss%2Fdeception-detection-system-dds-","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbatcherss%2Fdeception-detection-system-dds-","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbatcherss%2Fdeception-detection-system-dds-/lists"}