Decoy Intelligence: Automated Threat Classification Through Deception
HoneyManager is an ultra-lightweight, open-source honeypot management framework designed specifically for home users and Small-to-Medium Businesses (SMBs). It transforms obsolete hardwareβold laptops, desktops, Raspberry Pis, or Android devicesβinto active security sensors that detect both external attacks and internal lateral movement.
Traditional enterprise security solutions require expensive servers with massive RAM. HoneyManager changes the game:
- π₯οΈ Runs on "Worthless" Hardware: Even a 15-year-old Core 2 Duo laptop with 512MB RAM becomes a modern security appliance
- π Zero False Positives: Internal honeypots mean every connection is a confirmed threat (no legitimate device should touch them)
- π Detects the "Guest Threat": Catches infected smartphones or consultant laptops attempting lateral movement on your Wi-Fi
- π± Sustainable Tech: Repurpose e-waste instead of buying new security appliances
- RAM Usage: ~250MB total (compared to 8GB+ for ELK stacks)
- Storage: 4GB minimum
- CPU: Single-core 1GHz sufficient
- Custom Python analysis engine (no heavy JVM or complex indexing)
-
SSH/Telnet Trapper (Cowrie): Mimics QNAP NAS or OpenWRT routers
- Captures brute-force attempts, executed commands, downloaded malware hashes
-
Web Camera Simulation (Nginx): 5MB Alpine-based container
- Fake Hikvision camera interface
- Extracts credentials from POST requests even in encrypted traffic
-
Windows Services (Dionaea): SMB/FTP/MS-SQL trap
- Captures actual malware binaries in isolated containers
-
Custom IoT: General-purpose Linux IoT simulation
- Simulates smart fridges, printers with Telnet/FTP/SSH open
- Telegram Integration: Instant notifications for critical events
- Severity Levels: Critical (login attempts), High (port scans), Medium (reconnaissance)
- High Fidelity: Near-zero false positives due to internal placement
- Macvlan Support: Containers get real IPs from your router (bypasses NAT overhead)
- Low CPU Impact: Direct layer-2 networking reduces virtualization load
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 1 GHz Single Core | Any modern dual-core |
| RAM | 512 MB | 1 GB |
| Storage | 4 GB SD Card/HDD | 16 GB SSD |
| Network | Ethernet/Wi-Fi | Ethernet preferred |
| OS | Linux (RHEL, Ubuntu, Debian, Rocky) | Latest LTS Ubuntu/Debian |
Tested on: Raspberry Pi Zero W, 2008 Netbooks, Proxmox LXC containers
git clone https://github.com/yourusername/honeymanager.git
cd honeymanagercp .env.example .env
# Edit .env and add your Telegram Bot API key
nano .envpip3 install -r backend/requirements.txtAdjust subnet/gateway to match your router
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
macvlan_honeynetdocker-compose build
# Terminal 1: Start API
python3 backend/app.py
# Terminal 2: Start Log Watcher
python3 backend/watcher.pyOpen browser: http://<your-device-ip>:5000
sudo cp systemd/*.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable honeymanager-api honeymanager-watcher
sudo systemctl start honeymanager-api honeymanager-watcherβββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HoneyManager Host β
β βββββββββββββββ ββββββββββββββββ ββββββββββββ β
β β Flask β β SQLite β β Custom β β
β β Backend β β Database β β Watcher β β
β ββββββββ¬βββββββ ββββββββββββββββ ββββββ¬ββββββ β
β β β β
β ββββββββ΄ββββββββββββββββββββββββββββββββββ΄ββββββ β
β β Docker + Macvlan Network β β
β β βββββββββββ βββββββββββ βββββββββββ β β
β β β Cowrie β β Dionaea β β IoT β β β
β β β (SSH) β β (SMB) β β (Multi) β β β
β β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β β
β βββββββββΌβββββββββββΌβββββββββββΌββββββββββββββββ β
ββββββββββββΌβββββββββββΌβββββββββββΌβββββββββββββββββββ
β β β
Real IPs: 192.168.1.x/24 (Direct from Router)
Core Components:
- app.py: Flask API and web dashboard
- watcher.py: Real-time log analysis engine (replaces heavy SIEM)
- models.py: SQLite ORM for alerts and events
- docker_manager.py: Container orchestration via Docker SDK
| Threat Type | Example | Severity |
|---|---|---|
| Brute Force | 5+ failed SSH logins in 5 minutes | π΄ Critical |
| Lateral Movement | Guest phone scanning internal IPs | π΄ Critical |
| Credential Harvesting | POST to fake camera login page | π High |
| Malware Drops | Binary uploaded via SMB | π High |
| Reconnaissance | Port scans, service enumeration | π‘ Medium |
- All malware samples are captured in isolated Docker containers
- SQLite database is lightweight but not encrypted by default (encrypt your host disk)
- Place honeypots on internal VLANs for best protection
π§ Active Development Phase
HoneyManager is currently functional and deployed, but we're rapidly improving it. Here's what's coming:
- Core Flask backend and REST API
- Four honeypot container types
- Telegram alerting system
- Macvlan networking support
- Real-time log watcher
- Web dashboard UI
- Advanced analytics dashboard (attack graphs, trends)
- Automatic malware sandboxing integration
- REST API for external SIEM integration
- Machine learning for attack pattern recognition (MITRE ATTACK CATEGORY LABELLING)
- Automatic threat intelligence feeds (IOC blocking)
- On the fly labelling using Kafka & Python services
- Kubernetes support for scaling
- Web-based configuration wizard
π Stay Tuned! We're constantly improving HoneyManager with new deception techniques, better analytics, and broader device support.
- Cowrie for the excellent SSH honeypot
- Dionaea for multi-protocol capture
- Alpine Linux for making 5MB containers possible
- The open-source security community
Made with ancestry for analysts who extract contextual threat intelligence from deception through NLP and automated classification.