-
Attack log.go
-
honeypot.go
-
-
-
-
-
-
Inspiration:
Nowadays, cyber attacks are increasing, but most systems are just defensive. We thought: "What if we could trap the attackers and learn from them?"" We wanted to analyze attackers' tactics, tools and targets with fake targets while protecting real systems. The honeypot concept is old, but we wanted to turn it into a modern, analytical and visual platform
What it does:
HoneyLogger is a "cyber trap" system. It deceives attackers by creating fake admin panels and records their: Which techniques they use (SQL Injection, XSS, Brute Force) Where they attack from (IP, country, ISP) What kind of passwords it tries Whether it is a bot or a real person analyzes. All this data is stored in Elasticsearch and presented with visual graphs in Kibana. Thus, security teams can: Can see attack trends Can identify weak points in advance Can better protect real systems.
How i am built it:
I chose Go because it is fast, concurrent and perfect for system programming. I created a lightweight but powerful web server with Gin Framework. I created an infrastructure that can quickly query millions of logs with Elasticsearch. I designed visual dashboards for non-technical users with Kibana.
Architecture:
Modular structure: models, analyzer, honeypot, logger packages Async logging with goroutines (for performance) Regex-based intelligent threat analysis Attacker tracking with browser fingerprinting Easy deployment with Docker
Challenges we ran into:
Regex Pattern Optimization: We tested hundreds of patterns for SQL injection and XSS detection, some of them were giving false positives. It was difficult to find the balance. Concurrency & Race Conditions: There was a race condition in the IP attempt counter at first. sync.We solved it by adding RWMutex. Elasticsearch Mapping: Designing the log schema correctly was critical. The wrong mapping query was killing its performance. Realistic Fake Panel: If it's too simple, attackers will understand, if it's too complex, it's unnecessary. We had to find the sweet spot. Memory Leak Prevention: IP cache was constantly growing. We added a 24-hour auto-cleanup ticker.
Accomplishments that proud of:
Smart Threat Scoring: Not only pattern matching, but the multi-factor scoring system (attack type + attempt count + bot detection + known bad IPs) really works! Production-Ready Architecture: We have written code that can be used in a real environment, not just a demo. Docker, logging, error handling have everything. 12 Kibana Visualization: We have prepared a complete SOC dashboard from Pie chart to interactive map. Zero External Dependencies for Core Logic: We only used stdlib and 3 libraries. Lightweight but powerful. Detailed Documentation: README is complete, in-code comments are clear, every feature is explained.
What we learned:
Concurrent programming and mutex usage in Go Elasticsearch query optimization and index mapping Regex performance tuning (compile once, use many) Docker multi-container orchestration Browser fingerprinting techniques Security: Real-world attack patterns There are 100+ different variations of SQL injection How sophisticated can bots be? Attacker mindset: First reconnaissance, then exploitation General: Modular design saves time in the long run Logging is everything - you can't fix what you can't see UX is not only important for the frontend, but even API response times are important. MOST IMPORTANT: Using what we can do for good and being patient.
What's next for HoneyLogger:
2.0 Plans: Machine Learning Integration π€ Anomaly pattern detection Automatic classification of new attack types Predictive threat modeling Multi-Honeypot Cluster πΈοΈ Distributed deployment Centralized log collection Cross-honeypot correlation Advanced Geolocation π MaxMind GeoIP2 integration ASN monitoring VPN/Proxy detection Auto Reply β‘ Automatic ban via iptables/firewall Webhook notifications (Slack, Discord) Email alerts for critical threats More Fake Services π Fake SSH server Fake FTP server Fake database endpoints API spoofing Threat Intelligence Feed π‘ AbuseIPDB integration VirusTotal API Community threat sharing Web user interface π₯οΈ Real-time dashboard (React/Vue) Configuration management panel Live attack feed
DEMO: https://honneylogger.netlify.app/ CODES: https://github.com/StevenMuanigo
Log in or sign up for Devpost to join the conversation.