STINGARv2 Data Flow

Data Flow

STINGARv2 Architecture

Architecture

STINGARv2 Honeypots

STINGAR honeypots run inside a Docker environment on a virtual machine or Linux host. The honeypots consist of two separate containers running together inside their local Docker environment and are configured using a docker-compose.yml configuration file.

The STINGAR honeypot docker images are built from their application source code into a Docker image (using a Dockerfile) and communicate with the separate, local Docker container, called 'fluentbit' which is responsible for securely forwarding the honeypot messages to the remote STINGAR server (which runs the 'FluentD' receiver shown on the arch diagram above). Honeypot's take their settings from a local environment file, stingar-hp.env, see configure honeypot settings.

The honeypot container image communicates with the fluentbit container over the secure, internal docker network created within the Docker compose configuration.

Building/customizing your own honeypot

To create your own honeypot (or modify an existing honeypot for use with your STINGAR server), you will need to adopt the same message passing protocol to send messages to your remote STINGAR server. STINGAR honeypots support a number of different protocols and are built using a variety of programming languages and architectures to log their output.

Many honeypots offer a stdout/stderr type logging mechanism, STINGAR uses an 'Fluentd logger' (or 'output plug-in') to communicate (via Fluentbit container) with STINGAR server. The Fluentd output logger is used to send messages from the honeypot code to the local fluentbit container (named 'fluentbit').

Honeypot Detail

STINGAR SERVER

Language support for Fluentd output logger/plugins

More details of output plugins and configuration can be found here : https://docs.fluentd.org/output

For python honeypots, use the fluentd library: 

from fluent import sender

and create a sender to actually send the message to the local fluentbit container 

self.sender = sender.FluentSender(app, host=fluent_host, port=fluent_port)

for golang

import "github.com/fluent/fluent-bit-go/output"

and 

logger, err := fluent.New(fluent.Config{FluentHost: "fluentbit", FluentPort: 24284})

There are two types of messages that are sent between the honeypots and the remote STINGAR server, "sensor" and "events".