https://github.com/mariocandela/beelzebub

A secure low code honeypot framework, leveraging LLM for System Virtualization.
https://github.com/mariocandela/beelzebub

cloudnative cloudsecurity cybersecurity deception framework go golang honeypot kubernetes llama3 llm llm-honeypot llm-security low-code ollama openai research research-project security whitehat

Last synced: 6 months ago
JSON representation

A secure low code honeypot framework, leveraging LLM for System Virtualization.

Host: GitHub
URL: https://github.com/mariocandela/beelzebub
Owner: mariocandela
License: gpl-3.0
Created: 2022-05-08T18:47:02.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2025-05-06T06:28:10.000Z (6 months ago)
Last Synced: 2025-05-08T20:52:15.671Z (6 months ago)
Topics: cloudnative, cloudsecurity, cybersecurity, deception, framework, go, golang, honeypot, kubernetes, llama3, llm, llm-honeypot, llm-security, low-code, ollama, openai, research, research-project, security, whitehat
Language: Go
Homepage: https://beelzebub-honeypot.com
Size: 346 KB
Stars: 1,066
Watchers: 15
Forks: 79
Open Issues: 1
Metadata Files:
- Readme: README.md
- Changelog: historystore/history_store.go
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

awesome-go - beelzebub - A secure low code honeypot framework, leveraging AI for System Virtualization. (Security / HTTP Clients)
awesome-gpt-security - beelzebub - Go-Based Low-Code Honeypot Framework with Enhanced Security, Leveraging GPT-3 for System Virtualization (Tools / Investigation)
awesome-chatgpt - Beelzebub - Secure honeypot framework. (Web apps / Self-hosted)
fucking-awesome-chatgpt - Beelzebub ChatGPT Honeypot
awesome-chatgpt - Beelzebub ChatGPT Honeypot
awesome-chatgpt - Beelzebub ChatGPT Honeypot
awesome-chatgpt - mariocandela/beelzebub - Go based low code Honeypot Framework with Enhanced Security, leveraging OpenAI GPT for System Virtualization (Channel Resources / GitHub Projects)
awesome-chatgpt - beelzebub
awesome-chatgpt-zh - Beelzebub ChatGPT 蜜罐
awesome-chatgpt - Beelzebub - Secure honeypot framework. (Web apps / Self-hosted)
awesome-gpt - Beelzebub ChatGPT Honeypot
awesome-go - mariocandela/beelzebub
awesome-chatgpt-resources - beelzebub
awesome-chatgpt-resources - beelzebub
awesome-go - beelzebub - A secure low code honeypot framework, leveraging AI for System Virtualization. Stars:`1.5K`. (Security / HTTP Clients)
best-of-mcp-servers - GitHub - 7% open · ⏱️ 22.10.2025) (Security)
awesome-mcp-servers - **mariocandela/beelzebub ☁️** - Beelzebub is a honeypot framework that lets you build honeypot tools using MCP. Its purpose is to detect prompt injection or malicious agent behavior. The underlying idea is to provide the agent with tools it would never use in its normal work. `http` `git` `github` (Other)
awesome-chatgpt - mariocandela/beelzebub - Beelzebub is a secure low-code honeypot framework leveraging large language models for system virtualization to detect and analyze cyber attacks with AI-driven interaction. (SDK, Libraries, Frameworks / Golang library, sdk or frameworks)
awesome-go - mariocandela/beelzebub
awesome-mcp-servers - **mariocandela/beelzebub ☁️** - Beelzebub is a honeypot framework that lets you build honeypot tools using MCP. Its purpose is to detect prompt injection or malicious agent behavior. The underlying idea is to provide the agent with tools it would never use in its normal work. `http` `git` `github` (📦 Other)

README

# Beelzebub

[![CI](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml/badge.svg)](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml) [![Docker](https://github.com/mariocandela/beelzebub/actions/workflows/docker-image.yml/badge.svg)](https://github.com/mariocandela/beelzebub/actions/workflows/docker-image.yml) [![codeql](https://github.com/mariocandela/beelzebub/actions/workflows/codeql.yml/badge.svg)](https://github.com/mariocandela/beelzebub/actions/workflows/codeql.yml)
[![Go Report Card](https://goreportcard.com/badge/github.com/mariocandela/beelzebub/v3)](https://goreportcard.com/report/github.com/mariocandela/beelzebub/v3)
[![codecov](https://codecov.io/gh/mariocandela/beelzebub/graph/badge.svg?token=8XTK7D4WHE)](https://codecov.io/gh/mariocandela/beelzebub)
[![Go Reference](https://pkg.go.dev/badge/github.com/mariocandela/beelzebub/v3.svg)](https://pkg.go.dev/github.com/mariocandela/beelzebub/v3)
[![Mentioned in Awesome Go](https://awesome.re/mentioned-badge.svg)](https://github.com/avelino/awesome-go)

## Overview

Beelzebub is an advanced honeypot framework designed to provide a highly secure environment for detecting and analyzing cyber attacks. It offers a low code approach for easy implementation and uses AI to mimic the behavior of a high-interaction honeypot.

Beelzebub Logo

## LLM Honeypot

[![asciicast](https://asciinema.org/a/665295.svg)](https://asciinema.org/a/665295)

## Telegram Bot for Real-Time Attacks

Stay updated on real-time attacks by joining our dedicated Telegram channel: [Telegram Channel](https://t.me/beelzebubhoneypot)

## Examples

To better understand the capabilities of Beelzebub, you can explore our example repository: [mariocandela/beelzebub-example](https://github.com/mariocandela/beelzebub-example)

## Quick Start

We provide two quick start options for build and run Beelzebub: using Docker Compose or the Go compiler.

### Using Docker Compose

1. Build the Docker images:

```bash
$ docker-compose build
```

2. Start Beelzebub in detached mode:

```bash
$ docker-compose up -d
```

### Using Go Compiler

1. Download the necessary Go modules:

```bash
$ go mod download
```

2. Build the Beelzebub executable:

```bash
$ go build
```

3. Run Beelzebub:

```bash
$ ./beelzebub
```

### Deploy on kubernetes cluster using helm

1. Install helm

2. Deploy beelzebub:

```bash
$ helm install beelzebub ./beelzebub-chart
```

3. Next release

```bash
$ helm upgrade beelzebub ./beelzebub-chart
```
## Testing

We provide two types of tests: unit tests and integration tests.

### Unit Tests

To run unit tests:

```bash
$ make test.unit
```

### Integration Tests

To run integration tests:

```bash
$ make test.dependencies.start
$ make test.integration
$ make test.dependencies.down
```

## Key Features

Beelzebub offers a wide range of features to enhance your honeypot environment:

- Support for Ollama
- Support for OpenAI
- SSH Honeypot
- HTTP Honeypot
- TCP Honeypot
- Prometheus openmetrics integration
- Docker integration
- RabbitMQ integration
- kubernetes

## Example Configuration

Beelzebub allows easy configuration for different services and ports. Simply create a new file for each service/port within the `/configurations/services` directory.

To execute Beelzebub with your custom path, use the following command:

```bash
$ ./beelzebub --confCore ./configurations/beelzebub.yaml --confServices ./configurations/services/
```

Here are some example configurations for different honeypot scenarios:

#### Example HTTP Honeypot on Port 80

###### http-80.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":80"
description: "Wordpress 6.0"
commands:
- regex: "^(/index.php|/index.html|/)$"
handler:

Wordpress 6 test page

Hello from Wordpress

headers:
- "Content-Type: text/html"
- "Server: Apache/2.4.53 (Debian)"
- "X-Powered-By: PHP/7.4.29"
statusCode: 200
- regex: "^(/wp-login.php|/wp-admin)$"
handler:

Wordpress 6 test page

Username

Password

Login

headers:
- "Content-Type: text/html"
- "Server: Apache/2.4.53 (Debian)"
- "X-Powered-By: PHP/7.4.29"
statusCode: 200
- regex: "^.*$"
handler:

404

Not found!

headers:
- "Content-Type: text/html"
- "Server: Apache/2.4.53 (Debian)"
- "X-Powered-By: PHP/7.4.29"
statusCode: 404
```

#### Example HTTP Honeypot on Port 8080

###### http-8080.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":8080"
description: "Apache 401"
commands:
- regex: ".*"
handler: "Unauthorized"
headers:
- "www-Authenticate: Basic"
- "server: Apache"
statusCode: 401
```

#### Example SSH Honeypot

###### LLM Honeypots

Follow a SSH LLM Honeypot using OpenAI as provider LLM:

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH interactive OpenAI GPT-4"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
llmProvider: "openai"
llmModel: "gpt-4o" #Models https://platform.openai.com/docs/models
openAISecretKey: "sk-proj-123456"
```

Examples with local Ollama instance using model codellama:7b:

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH Ollama Llama3"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
llmProvider: "ollama"
llmModel: "codellama:7b" #Models https://ollama.com/search
host: "http://example.com/api/chat" #default http://localhost:11434/api/chat
```
Example with custom prompt:

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH interactive OpenAI GPT-4"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
llmProvider: "openai"
llmModel: "gpt-4o"
openAISecretKey: "sk-proj-123456"
prompt: "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block."
```

###### SSH Honeypot on Port 22

###### ssh-22.yaml

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":22"

description: "SSH interactive"
commands:
- regex: "^ls$"
handler: "Documents Images Desktop Downloads .m2 .kube .ssh .docker"
- regex: "^pwd$"
handler: "/home/"
- regex: "^uname -m$"
handler: "x86_64"
- regex: "^docker ps$"
handler: "CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES"
- regex: "^docker .*$"
handler: "Error response from daemon: dial unix docker.raw.sock: connect: connection refused"
- regex: "^uname$"
handler: "Linux"
- regex: "^ps$"
handler: "PID TTY TIME CMD\n21642 ttys000 0:00.07 /bin/dockerd"
- regex: "^(.+)$"
handler: "command not found"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666)$"
deadlineTimeoutSeconds: 60
```

## Roadmap

Our future plans for Beelzebub include developing it into a robust PaaS platform.

## Contributing

The Beelzebub team welcomes contributions and project participation. Whether you want to report bugs, contribute new features, or have any questions, please refer to our [Contributor Guide](CONTRIBUTING.md) for detailed information. We encourage all participants and maintainers to adhere to our [Code of Conduct](CODE_OF_CONDUCT.md) and foster a supportive and respectful community.

Happy hacking!

## License

Beelzebub is licensed under the [MIT License](LICENSE).

## Supported by
[![JetBrains logo.](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://jb.gg/OpenSourceSupport)

![gitbook logo](https://i.postimg.cc/VNQh5hnk/gitbook.png)

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/mariocandela/beelzebub

Awesome Lists containing this project

README

Hello from Wordpress

Not found!