https://polymathmonkey.github.io/weblog/tags/honeypot/index.htmlHugoen-usAll text is licensed under a Creative Commons Attribution 4.0 International License.Wed, 22 Apr 2026 07:09:35 +0200https://polymathmonkey.github.io/weblog/artifacts/threathuntingnet/index.htmlTue, 08 Jul 2025 09:15:00 +0200https://polymathmonkey.github.io/weblog/artifacts/threathuntingnet/index.htmlTable of Contents Introduction Why I Built a Home Lab for Threat Hunting 🕵 Network Setup Topology, Hardware and Tools 🛠 Firewall configuration🧱 Switch configuration What I Learned Whats next Introduction This is a small series I wanted to start, where I write about my small threathunting setup and describe a little what I build and what I am doing with it. In this part, I will describe the Network setup for my Environment, more about how I build the honeypots and the ELK Server I will describe in the follow up articles about threathunting.https://polymathmonkey.github.io/weblog/artifacts/theathuntinghoneypot/index.htmlMon, 29 Sep 2025 07:18:00 +0200https://polymathmonkey.github.io/weblog/artifacts/theathuntinghoneypot/index.htmlTable of Contents Introduction What is Cowrie? Why Podman over Docker? Preconditions / System setup Ubuntu Installed on Raspberry Pi 4+ System Fully Updated Podman installed and working VLAN Tagging Configured on Network Interface Setup environment, install cowrie as container and adjust configuration 🐧 Create a Dedicated User for Cowrie (No Login Shell) 🐳 Pull and Configure Cowrie with Podman 🛠 cowrie.cfg – Basic Overview 🚀 Run Cowrie Container as ‘cowrie’ User 🎯 Operating the Honeypot 🔄 Automatically Restart Cowrie Podman Container with systemd 🔒 Security Notes Log Forwarding with Filebeat 📦 Install Filebeat on Ubuntu ⚙ Configure and test Filebeat 🚀 Start and Enable Filebeat 🎯 TL;DR – What Did We Just Do? Whats next Introduction This post provides a brief walkthrough of how to deploy a lightweight, containerized SSH honeypot using Cowrie and Podman, with the goal of capturing and analyzing malicious activity as part of my threat hunting strategy.https://polymathmonkey.github.io/weblog/artifacts/honeyhttpd/index.htmlTue, 21 Apr 2026 08:39:00 +0200https://polymathmonkey.github.io/weblog/artifacts/honeyhttpd/index.htmlTable of Contents Introduction Architecture Overview Containerizing with Docker Configuration Code Improvements ApachePasswordServer.py ElasticSearchLogger.py Advantages Over the Original Testing Next Steps Summary Introduction I set out to build a honeypot that captures HTTP attack traffic and forwards it directly to Elasticsearch for analysis. Instead of reinventing the wheel, I built on top of honeyhttpd by bocajspear1 and added structured logging, credential extraction, and proper sanitization. The result is a production-ready honeypot that simulates an Apache server protected by HTTP Basic Authentication, capturing attacker credentials and request metadata in queryable Elasticsearch documents.https://polymathmonkey.github.io/weblog/artifacts/sans_for608/index.htmlFri, 20 Mar 2026 07:39:00 +0100https://polymathmonkey.github.io/weblog/artifacts/sans_for608/index.htmlTable of Contents Enterprise Threat Hunting and Incident Response (FOR608) Preparing for the exam: building an index 608.1 – Proactive Detection and Response 608.2 – Scaling Response and Analysis 608.3 – Modern Attacks against Windows and Linux 608.4 – macOS and Docker Containers 608.5 – Cloud Attacks and Response 608.6 – Capstone What I took away from this Enterprise Threat Hunting and Incident Response (FOR608) My employer booked me back in 2025 onto SANS FOR608 in the on-demand version.