website logo

Basic Defensive Lab (Honeypot)

Honeypot environment using Cowrie and an agent to collect attack data, integrated with a central Manager for monitoring and dashboard visualization.

Overview diagram of defensive lab (placeholder)

Requirements

Topology & Addresses

This example uses private local static IPs on a lab network.

Components

  1. Attacker (Kali)

    Attacker screenshot 1 (placeholder) Attacker screenshot 2 (placeholder)

    This VM simulates offensive activity (scans, exploits). Use Kali to run tools like nmap, hping3, or exploitation frameworks to generate malicious traffic toward the honeypot. Example IP: 192.168.1.10.

  2. Honeypot (Cowrie)

    Cowrie honeypot UI / files (placeholder)

    Cowrie is a low-interaction SSH/Telnet honeypot that logs attacker commands, credentials, and session data. In this lab we run Cowrie on the honeypot VM and forward logs to the Manager. Example IP: 192.168.1.100.

    Cowrie honeypot UI / files (placeholder)
    • Cowrie — captures attacker sessions and writes logs.
    • Agent — a lightweight forwarder (Wazuh agent) that ships logs to the Manager.
    Agent screenshot placeholder

    Keep Cowrie running and collect the cowrie.log and session files. Ship them with the Wazuh agent to your manager host for aggregation and visualization.

    Suricata

    Suricata is a network-based intrusion detection and prevention system that monitors live network traffic and analyzes packets using rules to detect attacks, scans, and malicious behavior in real time. Its main function is visibility and alerting across network activity, not interaction.

    Suricata screenshot (placeholder)

    Suricata passively observes all traffic, while Cowrie actively lures attackers into a fake system to study their actions.

  3. Manager (Wazuh — Agent & Dashboard)

    The Manager runs Wazuh to ingest and analyze logs forwarded by the honeypot agent. Wazuh combines log aggregation, rule-based alerts, and a web dashboard for monitoring detection events.

    Wazuh dashboard placeholder Wazuh index placeholder
    Wazuh manager placeholder

    Key Manager responsibilities:

    • Receive logs from Wazuh agents (honeypot)
    • Index and store events
    • Provide dashboards and alerts for suspicious activity

    Example Manager services: Wazuh manager (indexer & rules engine), Wazuh API and Wazuh Dashboard integration for dashboards web ui. Example IP: 192.168.1.200.

    Wazuh manager placeholder

    4) Attack Testing

    a. Nmap (port scanning)
    Nmap scan output (placeholder) Nmap scan output (placeholder)
    b. Hydra Bruteforce
    Hydra bruteforce output (placeholder) Hydra bruteforce output (placeholder)
    c. Ddos (flooding)
    DDoS flooding output (placeholder) DDoS flooding output (placeholder)
← Back to Projects