https://github.com/kung-foo/freki
Freki is a tool to manipulate packets in usermode using NFQUEUE and golang.
https://github.com/kung-foo/freki
golang honeypot nfqueue
Last synced: 6 months ago
JSON representation
Freki is a tool to manipulate packets in usermode using NFQUEUE and golang.
- Host: GitHub
- URL: https://github.com/kung-foo/freki
- Owner: kung-foo
- License: mit
- Created: 2017-01-02T11:42:54.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2023-02-02T12:03:16.000Z (over 2 years ago)
- Last Synced: 2025-03-27T12:52:41.042Z (6 months ago)
- Topics: golang, honeypot, nfqueue
- Language: Go
- Homepage:
- Size: 11.9 MB
- Stars: 58
- Watchers: 6
- Forks: 11
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
freki
=====
[](https://travis-ci.org/kung-foo/freki)
The ravenous and greedy one.
**Freki** is a tool for manipulating packets in userspace. Using iptable's raw table, packets are routed down into userspace where **freki** takes over. A set of rules is applied allowing for a large amount of flexibility. For example, you can forward all TCP ports to an HTTP honeypot and log the requests. Or you can proxy TCP port 22 into a docker container running an ssh honeypot.
There are currently two builtin loggers:
`log_tcp`: reads up to 1024 bytes from the connection, and then closes it.
`log_http`: sends a 200 OK back on every request.
Additionally, there are three mangling behaviors:
`rewrite`: Rewrites the incoming packet's destination port
`proxy`: Creates a TCP proxy for the connection to the specified target (can be an IP address, host name, or docker container)
`user_conn`: When using **freki** as a library, invoke a user-specified
callback with a `net.Conn`
```
$ ./bin/freki --help
Usage:
freki [options] [-v ...] -i= -r=
freki -h | --help | --version
Options:
-i --interface= Bind to this interface.
-r --rules= Rules file.
-h --help Show this screen.
--version Show version.
-v Enable verbose logging (-vv for very verbose)
```
Build
-----
requires: go 1.7+, libnetfilter-queue-dev>=1.0.0, libpcap-dev, iptables-dev
Rules Specification
-------------------
Rules are applied in order (top down) and stop after a match is found. The `match` field (required) is written using [BPF filter](https://biot.com/capstats/bpf.html) syntax. Note: not all filters may apply. For example, the ethernet src and dst headers are generally zero'd out.
```yaml
rules:
# allow packets from your machine (1.2.3.4) to reach your ssh server
- match: tcp dst port 22 and src host 1.2.3.4
type: passthrough
# send all tcp coming in on 10022 to 22
- match: tcp dst port 10022
type: rewrite
target: 22
# proxy all packets coming in on 6379 on to a container named 'redis' (must exist at the time freki starts)
- match: tcp dst port 6379
type: proxy
target: docker://redis:6379
# proxy all packets coming in on 666 out to portquiz.net:666
- match: tcp dst port 666
type: proxy
target: tcp://portquiz.net:666
# log http requests on 80 and 8080
- match: tcp port 80 or tcp port 8080
type: log_http
# pass connections on 7000 through 8000 to a registered handler called 'echo'
- match: tcp portrange 7000-8000
type: conn_handler
target: echo
# drop (no FIN, nothing!)
- match: tcp portrange 5000-5010
type: drop
# forward all remaining tcp packets to a tcp logger. grabs 1024 bytes and then closes.
- match: tcp
type: log_tcp
- match:
type: passthrough
```
Notes
-----
If **freki** hangs or panics, it may leave two iptables rules in place.
The simple fix is: `sudo iptables -t raw -F`.
Contributors
------------
* [Jonathan Camp](https://keybase.io/kung_foo)
* [Lukas Rist](https://keybase.io/glaslos)
* Mohammad Bilal
License
-------
_freki_ is distributed under the terms of the MIT License.