Honeypot, Malware Analysis

A Simple Elasticsearch Honeypot

ElasticHoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.

How it Works
This honeypot is pretty simple. It takes requests on the /, /_search, and /_nodes endpoints and returns a JSON response that is identical to a vulnerable ES instance (should be identical – I took the responses straight from one of my hosts that got 0wned).

Attacks are logged as soon as they are detected. By default, elastichoney logs the attacks in JSON format to stdout, as well as to a file called elastichoney.log.


./elastichoney -h

Usage of elastichoney:
-config=”config.json”: Location of the configuration file
-log=”elastichoney.log”: Location of the log file
-verbose=false: Output verbose logging to STDOUT

If you would like to compile and run elastichoney using Docker and Docker Compose, you can do so by running:

mkdir logs
docker-compose build
docker-compose up

You can find more about ElasticHoney here.

Project’s source code is on Github published under the MIT License (MIT).