What is Lyrebird?
Lyrebird is a high-interaction honeypot framework.
Real vulnerable applications are exposed to the attacker, but all traffic to the machine is logged in clear-text. End-to-end encrypted connections (like SSH) are intercepted with active man-in-the-middle attacks. The attacker's interaction is recorded both in a mitmproxy dumpfile and a human-readable HTML report.
By default, Lyrebird utilizes Docker containers to simplify the honeypot deployment. With that being said, Lyrebird generally is not Docker-specific technology.
Lyrebird's unique feature at the moment is man-in-the-middle SSH interception,
with other protocol potentially to follow if there is interest.
- A throwaway server/VM to run this on, unless you trust Docker's container isolation.
- Docker and Docker Compose
- (Optional) SSH on a non-default port so that your honeypot can listen on port 22.
- Enough resources to run your vulnerable application.
If you are testing this on a throwaway DigitalOcean Droplet or another cheap VPS running Ubuntu,
provision.sh and you are good to go.
- Clone the project
docker-compose.ymlto your needs (e.g., change the SSH port)
- Start the honeypot:
docker-compose up -d
- View the logs for raw activity:
docker-compose logs -f
- Stop the honeypot:
- View the HTML report in
You probably want to extend either the honeypot base image or one of the application images to make your honeypot system look more legitimate.
After upgrading Lyrebird, existing logfiles can be reprocessed:
./docker-images/build.sh docker run --rm -t -v ~/lyrebird/data:/data lyrebird/lyrebird reanalyze
Lyrebird is currently in a proof of concept phase, with many important parts missing. Most importantly,
- Attacker are free to request other services than a shell over SSH. These are logged, but no export/visualization features exist for e.g. SFTP. If you encounter an attack which is not visualized correctly, please file an issue with the traffic log.
- There is currently no automatic container monitoring to shut down misbehaving containers.
There are three awesome ways you can contribute:
- Share Feedback & Data
- Contribute code
- Promote the project, tweet that you are trying it out!
1) Why is it called Lyrebird?
Lyrebirds are notable for their superb ability to mimic natural and artificial sounds from their environment.
If you are interested, this video from BBC wildlife is well worth watching.
2) Isn't this kind of monitoring easy to detect?
Hiding system montoring is incredibly hard, if not impossible to pull off.
Put simply, Lyrebird attempts to maximize insight / effort.
3) So you are trusting Docker container isolation?
When using Docker, we recommend running Lyrebird on an isolated throwaway server.
Lyrebrid can also be adapted to work with other virtualization systems.