SNARE¶
Super Next generation Advanced Reactive honEypot
SNARE is a web application honeypot and is the successor of Glastopf, which has many of the same features as Glastopf as well as ability to convert existing Web pages into attack surfaces with TANNER. Every event sent from SNARE to TANNER is evaluated, and TANNER decides how SNARE should respond to the client. This allows the honeypot to produce dynamic responses which improves its camouflage. SNARE when fingerprinted by attackers shows that it is a Nginx Web application server.
Basic Concepts¶
- Surface first. Focus on the attack surface generation. Clone with
Cloner
. - Sensors and masters. Lightweight collectors (SNARE) and central decision maker (tanner).
Getting started¶
You need Python3. We tested primarily with >=3.4
This was tested with a recent Ubuntu based Linux.
Steps to setup:
- Get SNARE:
git clone https://github.com/mushorg/snare.git
andcd snare
- [Optional] Make virtual environment:
python3 -m venv venv
- [Optional] Activate virtual environment:
. venv/bin/activate
Note: Do not use sudo with below commands if you’re running snare in virtual environment.
- Install requirements:
sudo pip3 install -r requirements.txt
- Setup snare:
sudo python3 setup.py install
- Clone a page:
sudo clone --target http://example.com --path <path to base dir>
- Run SNARE:
sudo snare --port 8080 --page-dir example.com --path <path to base dir>
(See Snare command line parameters description for more info) - Test: Visit http://localhost:8080/index.html
- (Optionally) Have your own tanner service running.
[Note : Cloner clones the whole website, to restrict to a desired depth of cloning add --max-depth
parameter]
You obviously want to bind to 0.0.0.0 and port 80 when running in production.
Docker build instructions
- Change current directory to
snare
project directory docker-compose build
docker-compose up
More information about running docker-compose
can be found here.