Beelzebub ChatGPT Honeypot

Constructs complete honeypot systems across SSH, HTTP, and TCP protocols using a Builder pattern implementation that coordinates configuration parsing, protocol manager initialization, and service lifecycle management. The Director component orchestrates the building sequence, loading YAML configurations and delegating protocol-specific setup to specialized builders, enabling low-code honeypot deployment without manual service wiring.

Integrates OpenAI and Ollama LLM providers to generate contextually realistic SSH command responses in real-time, replacing static response files. When an attacker executes a command matching configured regex patterns, the system constructs a prompt from the matched command and sends it to the configured LLM provider, receiving dynamically generated output that mimics legitimate system behavior. This approach uses a plugin architecture where LLMHoneypot implements the response generator interface.

Implements a plugin architecture that allows custom handlers and response generators to be registered at runtime without modifying core Beelzebub code. The LLMHoneypot plugin demonstrates this pattern, implementing a response generator interface that can be swapped for alternative implementations. Plugins can be loaded from external Go packages or compiled into the binary, enabling operators to extend honeypot functionality for custom protocols or attack simulation scenarios.

Provides Docker containerization and Kubernetes deployment manifests for running Beelzebub in containerized environments. Docker images include all dependencies and can be deployed as standalone containers or orchestrated via Kubernetes. Kubernetes support includes ConfigMap-based configuration management, Service definitions for network exposure, and StatefulSet patterns for persistent honeypot deployments. This enables honeypots to be deployed alongside other containerized security infrastructure.

Allows operators to customize LLM prompts that guide response generation for different attack scenarios, enabling fine-tuned honeypot behavior without code changes. Prompts can be configured per-protocol or per-command, allowing different response styles for SSH commands vs HTTP requests. This enables operators to simulate specific system behaviors (e.g., vulnerable database responses, misconfigured web servers) by crafting targeted prompts.

Implements a Singleton tracer component that captures all honeypot interactions (SSH commands, HTTP requests, TCP packets) into structured event logs, with pluggable backends for persistence and real-time publishing. Events include attack metadata (source IP, timestamp, protocol, payload), and the tracer can route events to RabbitMQ for stream processing, Prometheus for metrics aggregation, or local file storage. The tracer uses a Strategy pattern to support multiple output backends without coupling to specific implementations.

Defines configurable HTTP honeypot services that listen on specified ports and respond to requests on defined endpoint paths with either static response bodies or LLM-generated content. Each endpoint can be configured with HTTP method matching (GET, POST, etc.), response status codes, custom headers, and optional regex-based request body matching. The HTTP honeypot service uses the same LLMHoneypot plugin as SSH, allowing dynamic response generation for sophisticated attack simulation.

Implements an SSH server honeypot that accepts connections with configurable credentials, matches executed commands against regex patterns, and returns either static or LLM-generated responses. The SSH honeypot can be configured with custom server version strings and server names to mimic specific SSH implementations. Command matching uses regex patterns to identify attack commands (e.g., privilege escalation attempts, reconnaissance commands) and route them to appropriate response handlers.

Provides a generic TCP honeypot service that listens on configurable ports and responds to raw TCP connections with static or LLM-generated responses. Unlike SSH and HTTP honeypots, TCP honeypots are protocol-agnostic and can simulate any TCP-based service (Telnet, FTP, custom protocols) by matching incoming data against regex patterns and returning configured responses. This enables honeypots for proprietary or legacy protocols without protocol-specific implementation.

Integrates with RabbitMQ message broker to publish honeypot events in real-time, enabling downstream stream processing, SIEM ingestion, and distributed analysis. Events are serialized as JSON and published to configurable RabbitMQ exchanges/queues, allowing multiple consumers to subscribe to attack data without coupling to the honeypot. This enables architectures where honeypots feed threat intelligence pipelines, incident response workflows, and security analytics platforms.

Exports honeypot activity as Prometheus time-series metrics, enabling real-time monitoring, dashboarding, and alerting on attack patterns. Metrics include attack frequency by protocol, source IP distribution, command execution patterns, and response latencies. The tracer publishes metrics in Prometheus text format on a configurable HTTP endpoint, allowing Prometheus servers to scrape honeypot metrics alongside other infrastructure metrics.

Provides declarative YAML configuration system for defining honeypot services (SSH, HTTP, TCP), protocol-specific parameters, LLM provider settings, and global logging/tracing configuration. Configuration is split into core configuration (beelzebub.yaml) for global settings and service configuration files for individual honeypot definitions. The parser component loads and validates YAML, enabling operators to deploy honeypots without code changes or recompilation.

Sends real-time attack notifications to Telegram channels/users when honeypot events occur, enabling immediate alerting to security teams. The notification system integrates with the tracer to subscribe to attack events and format them as Telegram messages. This provides out-of-band alerting independent of SIEM or monitoring systems, ensuring critical attacks are immediately visible to on-call personnel.