Beelzebub is an advanced honeypot framework designed to provide a highly secure environment for detecting and analyzing cyber attacks. It offers a low code approach for easy implementation and uses AI to mimic the behavior of a high-interaction honeypot. - Global Threat Intelligence Community - Key Features - Architecture - Quick Start - Configuration - Core Configuration - Service Configuration -
Add this skill
npx mdskills install mariocandela/beelzebubAdvanced honeypot framework with multi-protocol support, LLM integration, and comprehensive observability features
1# Beelzebub23[](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml) [](https://github.com/mariocandela/beelzebub/actions/workflows/docker-image.yml) [](https://github.com/mariocandela/beelzebub/actions/workflows/codeql.yml)4[](https://goreportcard.com/report/github.com/mariocandela/beelzebub/v3)5[](https://codecov.io/gh/mariocandela/beelzebub)6[](https://pkg.go.dev/github.com/mariocandela/beelzebub/v3)7[](https://archestra.ai/mcp-catalog/mariocandela__beelzebub)8[](https://github.com/avelino/awesome-go)910## Overview1112Beelzebub is an advanced honeypot framework designed to provide a highly secure environment for detecting and analyzing cyber attacks. It offers a low code approach for easy implementation and uses AI to mimic the behavior of a high-interaction honeypot.13141516## Table of Contents1718- [Global Threat Intelligence Community](#global-threat-intelligence-community)19- [Key Features](#key-features)20- [Architecture](#architecture)21- [Quick Start](#quick-start)22- [Configuration](#configuration)23 - [Core Configuration](#core-configuration)24 - [Service Configuration](#service-configuration)25- [Protocol Examples](#protocol-examples)26 - [MCP Honeypot](#mcp-honeypot)27 - [HTTP Honeypot](#http-honeypot)28 - [SSH Honeypot](#ssh-honeypot)29 - [TELNET Honeypot](#telnet-honeypot)30 - [TCP Honeypot](#tcp-honeypot)31- [Observability](#observability)32 - [Prometheus Metrics](#prometheus-metrics)33 - [RabbitMQ Integration](#rabbitmq-integration)34 - [Beelzebub Cloud](#beelzebub-cloud)35- [Testing](#testing)36- [Code Quality](#code-quality)37- [Contributing](#contributing)38- [License](#license)3940## Global Threat Intelligence Community4142Our mission is to establish a collaborative ecosystem of security researchers and white hat professionals worldwide, dedicated to creating a distributed honeypot network that identifies emerging malware, discovers zero-day vulnerabilities, and neutralizes active botnets.4344[](https://github.com/beelzebub-labs/white-paper/)4546The white paper includes information on how to join our Discord community and contribute to the global threat intelligence network.4748## Key Features4950Beelzebub offers a wide range of features to enhance your honeypot environment:5152- **Low-code configuration**: YAML-based, modular service definition53- **LLM integration**: The LLM convincingly simulates a real system, creating high-interaction honeypot experiences, while actually maintaining low-interaction architecture for enhanced security and easy management54- **Multi-protocol support**: SSH, HTTP, TCP, TELNET, MCP (detect prompt injection against LLM agents)55- **Prometheus metrics & observability**: Built-in metrics endpoint for monitoring56- **Event tracing**: Multiple output strategies (stdout, RabbitMQ, Beelzebub Cloud)57- **Docker & Kubernetes ready**: Deploy anywhere with provided configurations58- **ELK stack ready**: Official integration available at [Elastic docs](https://www.elastic.co/docs/reference/integrations/beelzebub)5960## LLM Honeypot Demo61626364## Quick Start6566You can run Beelzebub via Docker, Go compiler(cross device), or Helm (Kubernetes).6768### Using Docker Compose69701. Build the Docker images:7172 ```bash73 $ docker compose build74 ```75762. Start Beelzebub in detached mode:7778 ```bash79 $ docker compose up -d80 ```818283### Using Go Compiler84851. Download the necessary Go modules:8687 ```bash88 $ go mod download89 ```90912. Build the Beelzebub executable:9293 ```bash94 $ go build95 ```96973. Run Beelzebub:9899 ```bash100 $ ./beelzebub101 ```102103### Deploy on kubernetes cluster using helm1041051. Install helm1061072. Deploy beelzebub:108109 ```bash110 $ helm install beelzebub ./beelzebub-chart111 ```1121133. Next release114115 ```bash116 $ helm upgrade beelzebub ./beelzebub-chart117 ```118119## Configuration120121Beelzebub uses a two-tier configuration system:1221231. **Core configuration** (`beelzebub.yaml`) - Global settings for logging, tracing, and Prometheus1242. **Service configurations** (`services/*.yaml`) - Individual honeypot service definitions125126### Core Configuration127128The core configuration file controls global behavior:129130```yaml131core:132 logging:133 debug: false134 debugReportCaller: false135 logDisableTimestamp: true136 logsPath: ./logs137 tracings:138 rabbit-mq:139 enabled: false140 uri: "amqp://guest:guest@localhost:5672/"141 prometheus:142 path: "/metrics"143 port: ":2112"144 beelzebub-cloud:145 enabled: false146 uri: ""147 auth-token: ""148```149150### Service Configuration151152Each honeypot service is defined in a separate YAML file in the `services/` directory. To run Beelzebub with custom paths:153154```bash155./beelzebub --confCore ./configurations/beelzebub.yaml --confServices ./configurations/services/156```157158Additional flags:159- `--memLimitMiB <value>` - Set memory limit in MiB (default: 100, use -1 to disable)160161## Protocol Examples162163Below are example configurations for each supported protocol.164165### MCP Honeypot166167MCP (Model Context Protocol) honeypots are decoy tools designed to detect prompt injection attacks against LLM agents.168169#### Why Use an MCP Honeypot?170171An MCP honeypot is a **decoy tool** that the agent should never invoke under normal circumstances. Integrating this strategy into your agent pipeline offers three key benefits:172173- **Real-time detection of guardrail bypass attempts** - Instantly identify when a prompt injection attack successfully convinces the agent to invoke a restricted tool174- **Automatic collection of real attack prompts** - Every activation logs genuine malicious prompts, enabling continuous improvement of your filtering mechanisms175- **Continuous monitoring of attack trends** - Track exploit frequency and system resilience using objective, actionable measurements (HAR, TPR, MTP)176177178179**mcp-8000.yaml**:180181```yaml182apiVersion: "v1"183protocol: "mcp"184address: ":8000"185description: "MCP Honeypot"186tools:187 - name: "tool:user-account-manager"188 description: "Tool for querying and modifying user account details. Requires administrator privileges."189 params:190 - name: "user_id"191 description: "The ID of the user account to manage."192 - name: "action"193 description: "The action to perform on the user account, possible values are: get_details, reset_password, deactivate_account"194 handler: |195 {196 "tool_id": "tool:user-account-manager",197 "status": "completed",198 "output": {199 "message": "Tool 'tool:user-account-manager' executed successfully. Results are pending internal processing and will be logged.",200 "result": {201 "operation_status": "success",202 "details": "email: kirsten@gmail.com, role: admin, last-login: 02/07/2025"203 }204 }205 }206 - name: "tool:system-log"207 description: "Tool for querying system logs. Requires administrator privileges."208 params:209 - name: "filter"210 description: "The input used to filter the logs."211 handler: |212 {213 "tool_id": "tool:system-log",214 "status": "completed",215 "output": {216 "message": "Tool 'tool:system-log' executed successfully. Results are pending internal processing and will be logged.",217 "result": {218 "operation_status": "success",219 "details": "Info: email: kirsten@gmail.com, last-login: 02/07/2025"220 }221 }222 }223```224225Invoke remotely via `http://beelzebub:port/mcp` (Streamable HTTP Server).226227### HTTP Honeypot228229HTTP honeypots respond to web requests with configurable responses based on URL pattern matching.230231**http-80.yaml** (WordPress simulation):232233```yaml234apiVersion: "v1"235protocol: "http"236address: ":80"237description: "Wordpress 6.0"238commands:239 - regex: "^(/index.php|/index.html|/)$"240 handler:241 <html>242 <header>243 <title>Wordpress 6 test page</title>244 </header>245 <body>246 <h1>Hello from Wordpress</h1>247 </body>248 </html>249 headers:250 - "Content-Type: text/html"251 - "Server: Apache/2.4.53 (Debian)"252 - "X-Powered-By: PHP/7.4.29"253 statusCode: 200254 - regex: "^(/wp-login.php|/wp-admin)$"255 handler:256 <html>257 <header>258 <title>Wordpress 6 test page</title>259 </header>260 <body>261 <form action="" method="post">262 <label for="uname"><b>Username</b></label>263 <input type="text" placeholder="Enter Username" name="uname" required>264265 <label for="psw"><b>Password</b></label>266 <input type="password" placeholder="Enter Password" name="psw" required>267268 <button type="submit">Login</button>269 </form>270 </body>271 </html>272 headers:273 - "Content-Type: text/html"274 - "Server: Apache/2.4.53 (Debian)"275 - "X-Powered-By: PHP/7.4.29"276 statusCode: 200277 - regex: "^.*$"278 handler:279 <html>280 <header>281 <title>404</title>282 </header>283 <body>284 <h1>Not found!</h1>285 </body>286 </html>287 headers:288 - "Content-Type: text/html"289 - "Server: Apache/2.4.53 (Debian)"290 - "X-Powered-By: PHP/7.4.29"291 statusCode: 404292```293294**http-8080.yaml** (Apache 401 simulation):295296```yaml297apiVersion: "v1"298protocol: "http"299address: ":8080"300description: "Apache 401"301commands:302 - regex: ".*"303 handler: "Unauthorized"304 headers:305 - "www-Authenticate: Basic"306 - "server: Apache"307 statusCode: 401308```309310### SSH Honeypot311312SSH honeypots support both static command responses and LLM-powered dynamic interactions.313314#### LLM-Powered SSH Honeypot315316Using OpenAI as the LLM provider:317318```yaml319apiVersion: "v1"320protocol: "ssh"321address: ":2222"322description: "SSH interactive OpenAI GPT-4"323commands:324 - regex: "^(.+)$"325 plugin: "LLMHoneypot"326serverVersion: "OpenSSH"327serverName: "ubuntu"328passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"329deadlineTimeoutSeconds: 60330plugin:331 llmProvider: "openai"332 llmModel: "gpt-4o" #Models https://platform.openai.com/docs/models333 openAISecretKey: "sk-proj-123456"334```335336Using local Ollama instance:337338```yaml339apiVersion: "v1"340protocol: "ssh"341address: ":2222"342description: "SSH Ollama Llama3"343commands:344 - regex: "^(.+)$"345 plugin: "LLMHoneypot"346serverVersion: "OpenSSH"347serverName: "ubuntu"348passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"349deadlineTimeoutSeconds: 60350plugin:351 llmProvider: "ollama"352 llmModel: "codellama:7b"353 host: "http://localhost:11434/api/chat"354```355356Using a custom prompt:357358```yaml359apiVersion: "v1"360protocol: "ssh"361address: ":2222"362description: "SSH interactive OpenAI GPT-4"363commands:364 - regex: "^(.+)$"365 plugin: "LLMHoneypot"366serverVersion: "OpenSSH"367serverName: "ubuntu"368passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"369deadlineTimeoutSeconds: 60370plugin:371 llmProvider: "openai"372 llmModel: "gpt-4o"373 openAISecretKey: "sk-proj-123456"374 prompt: "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block."375```376377#### Static SSH Honeypot378379```yaml380apiVersion: "v1"381protocol: "ssh"382address: ":22"383description: "SSH interactive"384commands:385 - regex: "^ls$"386 handler: "Documents Images Desktop Downloads .m2 .kube .ssh .docker"387 - regex: "^pwd$"388 handler: "/home/"389 - regex: "^uname -m$"390 handler: "x86_64"391 - regex: "^docker ps$"392 handler: "CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES"393 - regex: "^docker .*$"394 handler: "Error response from daemon: dial unix docker.raw.sock: connect: connection refused"395 - regex: "^uname$"396 handler: "Linux"397 - regex: "^ps$"398 handler: "PID TTY TIME CMD\n21642 ttys000 0:00.07 /bin/dockerd"399 - regex: "^(.+)$"400 handler: "command not found"401serverVersion: "OpenSSH"402serverName: "ubuntu"403passwordRegex: "^(root|qwerty|Smoker666)$"404deadlineTimeoutSeconds: 60405```406407### TELNET Honeypot408409TELNET honeypots provide terminal-based interaction similar to SSH, with support for both static responses and LLM integration.410411#### LLM-Powered TELNET Honeypot412413```yaml414apiVersion: "v1"415protocol: "telnet"416address: ":23"417description: "TELNET LLM Honeypot"418commands:419 - regex: "^(.+)$"420 plugin: "LLMHoneypot"421serverName: "router"422passwordRegex: "^(admin|root|password|123456)$"423deadlineTimeoutSeconds: 120424plugin:425 llmProvider: "openai"426 llmModel: "gpt-4o"427 openAISecretKey: "sk-proj-..."428```429430#### Static TELNET Honeypot431432```yaml433apiVersion: "v1"434protocol: "telnet"435address: ":23"436description: "TELNET Router Simulation"437commands:438 - regex: "^show version$"439 handler: "Cisco IOS Software, Version 15.1(4)M4"440 - regex: "^show ip interface brief$"441 handler: "Method Status Protocol\nFastEthernet0/0 192.168.1.1 YES NVRAM up up"442 - regex: "^(.+)$"443 handler: "% Unknown command"444serverName: "router"445passwordRegex: "^(admin|cisco|password)$"446deadlineTimeoutSeconds: 60447```448449### TCP Honeypot450451TCP honeypots respond with a configurable banner to any TCP connection. Useful for simulating database servers or other TCP services.452453```yaml454apiVersion: "v1"455protocol: "tcp"456address: ":3306"457description: "MySQL 8.0.29"458banner: "8.0.29"459deadlineTimeoutSeconds: 10460```461462## Observability463464### Prometheus Metrics465466Beelzebub exposes Prometheus metrics at the configured endpoint (default: `:2112/metrics`). Available metrics include:467468- `beelzebub_events_total` - Total number of honeypot events469- `beelzebub_events_ssh_total` - SSH-specific events470- `beelzebub_events_http_total` - HTTP-specific events471- `beelzebub_events_tcp_total` - TCP-specific events472- `beelzebub_events_telnet_total` - TELNET-specific events473- `beelzebub_events_mcp_total` - MCP-specific events474475### RabbitMQ Integration476477Enable RabbitMQ tracing to publish honeypot events to a message queue:478479```yaml480core:481 tracings:482 rabbit-mq:483 enabled: true484 uri: "amqp://guest:guest@localhost:5672/"485```486487Events are published as JSON messages for downstream processing.488489## Testing490491### Unit Tests492493```bash494make test.unit495```496497### Integration Tests498499Integration tests require external dependencies (RabbitMQ, etc.):500501```bash502make test.dependencies.start503make test.integration504make test.dependencies.down505```506507## Code Quality508509We maintain high code quality through:510511- **Automated Testing**: Unit and integration tests run on every pull request512- **Static Analysis**: Go Report Card and CodeQL for code quality and security checks513- **Code Coverage**: Monitored via [Codecov](https://codecov.io/gh/mariocandela/beelzebub)514- **Continuous Integration**: GitHub Actions pipelines on every commit515- **Code Reviews**: All contributions undergo peer review516517## Contributing518519The Beelzebub team welcomes contributions and project participation. Whether you want to report bugs, contribute new features, or have any questions, please refer to our [Contributor Guide](CONTRIBUTING.md) for detailed information. We encourage all participants and maintainers to adhere to our [Code of Conduct](CODE_OF_CONDUCT.md) and foster a supportive and respectful community.520521Happy hacking!522523## License524525Beelzebub is licensed under the [GNU GPL v3 License](LICENSE).526527## Supported By528529[](https://jb.gg/OpenSourceSupport)530531532
Full transparency — inspect the skill content before installing.