Conpot Documentation

Release 0.6.0

MushMush Foundation

Oct 16, 2018

 Contents

1 Installation 3
1.1 Virtualenv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Ubuntu 12.04 LTS / 14.04 LTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 CentOS installation 7.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Usage 9
2.1 Example Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Human Machine Interfaces (HMI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Development 17
3.1 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Releasing Conpot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Frequently Asked Questions 21

4.1 Sharing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5 Indices and tables 23

i
ii
 Conpot Documentation, Release 0.6.0

Contents:

Contents 1
Conpot Documentation, Release 0.6.0

2 Contents
 CHAPTER 1

Installation

Basics instruction on how to install Conpot

1.1 Virtualenv

A generic way to keep Python installations separate is using virtualenv. This way you can run conpot on your machine
without littering your machine. This guides assumes you have Python 3.5 installed and running on your computer.

1.1.1 Installation

Install dependencies:

apt-get install git libsmi2ldbl smistrip libxslt1-dev python3.5-dev libevent-dev

˓→default-libmysqlclient-dev

Create the virtualenv

virtualenv --python=python3.5 conpot

Activate the environment

source conpot/bin/activate

Upgrade any basic tools in the environment and deps

pip install --upgrade pip

pip install --upgrade setuptools
pip install cffi

Install the table version of Conpot from PyPI:

3
Conpot Documentation, Release 0.6.0

pip install conpot

1.2 Ubuntu 12.04 LTS / 14.04 LTS

1.2.1 Installation

You need to add multiverse to the source, like;

$ sudo vim /etc/apt/sources.list

Add the following line:

deb http://dk.archive.ubuntu.com/ubuntu precise main multiverse
Install dependencies:

sudo apt-get install libmysqlclient-dev libsmi2ldbl snmp-mibs-downloader python-dev

˓→libevent-dev \

libxslt1-dev libxml2-dev python-pip python-mysqldb pkg-config libvirt-dev

The stable version of ConPot can be downloaded from PyPI:

pip install conpot

The development version can be cloned from github:

cd /opt
git clone [email protected]:mushorg/conpot.git
cd conpot
python setup.py install

1.3 Debian

1.3.1 Tested Versions

• 7.2.0 64bit
• 6.0.7 64bit
This was tested on a minimal installation w/o desktop packages.

1.3.2 Installation

Install dependencies:

apt-get install git libsmi2ldbl smistrip libxslt1-dev python-dev libevent-dev

Debian 6 specific

apt-get install python-pip

pip install argparse

4 Chapter 1. Installation
 Conpot Documentation, Release 0.6.0

The package snmp-mibs-downloader is non-free so we have to install the package manually. All dependencies are
covered by installing smistrip. Get the package from here:
wget $package_url
dpkg -i $package_name

Alternatively, add “non-free” to the /etc/apt/sources.list

deb http://ftp.nl.debian.org/debian squeeze main non-free

And do an
apt-get update

followed by
apt-get install snmp-mibs-downloader

The stable version of Conpot can be downloaded from PyPI:

pip install conpot

The development version can be cloned from github - but we need a modified modbus-tk first.
cd /opt
git clone https://github.com/mushorg/modbus-tk.git
cd modbus-tk
python setup.py install
cd ..
git clone https://github.com/mushorg/conpot.git
cd conpot
python setup.py install

1.4 CentOS installation 7.3

Validated to work on CentOS version 7.3-1611 & Conpot 0.5.1 (may also work on other CentOS versions)

1.4.1 1. Login via ssh with an account with sufficient system privileges (e.g root)

1.4.2 2. Upgrade the system

$ sudo yum -y update

1.4.3 3. Install needed packages and libs

$ sudo yum -y install libxslt-devel libxml2-devel python-pip python

$ sudo yum -y install mariadb-server mysql-connector-python.noarch mariadb-devel
$ sudo yum -y install git python-lxml.x86_64 python-devel
$ sudo yum -y groupinstall "Development tools"
$ wget https://bootstrap.pypa.io/get-pip.py && sudo python ./get-pip.py

Upgrade lxml

1.4. CentOS installation 7.3 5

Conpot Documentation, Release 0.6.0

$ sudo pip install -U lxml

1.4.4 4. Start mysql server

$ sudo chkconfig mariadb on

$ sudo service mariadb start

Sugestions to mysql secure installation are to change the root password and accect to removing anonymous users, test
database and disallow root login.

$ sudo mysql_secure_installation

1.4.5 5. CONPOT installation

$ git clone https://github.com/mushorg/conpot

$ cd conpot/
$ sudo python setup.py install

1.4.6 6. Open ports in firewalld : 80 , 102, 161 and 502

$ firewall-cmd --permanent --add-port=80/tcp

$ firewall-cmd --permanent --add-port=102/tcp
$ firewall-cmd --permanent --add-port=161/tcp
$ firewall-cmd --permanent --add-port=502/tcp
$ firewall-cmd --reload

1.4.7 7. Start the Conpot honeypot

$ conpot --template default

1.4.8 8. Check if it’s running and you can access it from remote (in browser)

$ lynx http://YOUR_IP/

1.5 Basic Configuration

Basic configuration options are provided in the default configuration file:

[modbus]
host = 0.0.0.0
port = 502

[snmp]
host = 0.0.0.0
(continues on next page)

6 Chapter 1. Installation
 Conpot Documentation, Release 0.6.0

(continued from previous page)

port = 161

[http]
host = 0.0.0.0
port = 80

[sqlite]
enabled = False

[hpfriends]
enabled = False
host = hpfriends.honeycloud.net
port = 20000
ident = 3Ykf9Znv
secret = 4nFRhpm44QkG9cvD
channels = ["conpot.events", ]

[fetch_public_ip]
enabled = True
url = http://api-sth01.exip.org/?call=ip

Please note that by enabling hpfriends your conpot installation will automatically transmit attack data to The Honeynet
Project. The fetch_public_ip option enables fetching the honeypot public ip address from a external resource.

1.5. Basic Configuration 7

Conpot Documentation, Release 0.6.0

8 Chapter 1. Installation
 CHAPTER 2

Usage

Conpot usage

2.1 Example Usage

You can start conpot by just running it from the commandline.

box$ conpot
2013-04-12 16:09:25,620 Added slave with id 1.
2013-04-12 16:09:25,621 Added block a to slave 1. (type=1, start=1, size=128)
2013-04-12 16:09:25,622 Setting value at addr 1 to [random.randint(0,1) for b in
˓→range(0,128)].

2013-04-12 16:09:25,623 Added block d to slave 2. (type=3, start=40001, size=8)

2013-04-12 16:09:25,623 Conpot initialized using the S7-200 template.
2013-04-12 16:09:25,623 Serving on: ('0.0.0.0', 502)
2013-04-12 16:09:27,141 New connection from 127.0.0.1:61493. (b763654f-c9d8-45ae-b35a-
˓→824dfc220911)

2013-04-12 16:09:27,141 Modbus traffic from 127.0.0.1: {'request_pdu': '0100010008',

˓→'function_code': 1, 'slave_id': 1, 'response_pdu': '010132'} (b763654f-c9d8-45ae-

˓→b35a-824dfc220911)

2013-04-12 16:09:27,142 Modbus traffic from 127.0.0.1: {'request_pdu': '0f0001000801ff

˓→', 'function_code': 15, 'slave_id': 1, 'response_pdu': '0f00010008'} (b763654f-c9d8-

˓→45ae-b35a-824dfc220911)

2013-04-12 16:09:27,143 Modbus traffic from 127.0.0.1: {'request_pdu': '0100010008',

˓→'function_code': 1, 'slave_id': 1, 'response_pdu': '0101ff'} (b763654f-c9d8-45ae-

˓→b35a-824dfc220911)

2013-04-12 16:09:27,144 Client disconnected. (b763654f-c9d8-45ae-b35a-824dfc220911)

9
Conpot Documentation, Release 0.6.0

2.2 Customization

2.2.1 The default profile

Conpot is shipped with a default profile(default.xml) which provides basic emulation of a Siemens S7-200 CPU
with a few expansion modules installed. The attack surface of the default emulation includes the protocols MODBUS,
HTTP, SNMP and s7comm.
While most of the configuration takes place within the XML profile, some parts are kept in seperate folders within the
templates directory to avoid clutter.

Modbus

The <device_info /> section allows to define the device info returned to a Modbus 43 function call.
The <slave /> section allows you to define the slaves. Every slave definition is separated into <blocks />.
An binary output block has the type COILS, binary input blocks DISCRETE_INPUTS. You define the starting address
and size. ANALOG_INPUTS hold data in byte size.
In the <values /> section you take the starting address and fill the field with values. The content is evaluated so
you can easily fill it with random values.

<block name="a">
<!-- COILS/DISCRETE_OUTPUTS aka. binary output, power on/power off
Here we map modbus addresses 1 to 127 to S7-200 PLC Addresses Q0.0 to Q15.7 -
˓→->

<type>COILS</type>
<starting_address>1</starting_address>
<size>128</size>
<values>
<value>
<address>1</address>
<!-- Will be parsed with eval() -->
<content>[random.randint(0,1) for b in range(0,128)]</content>
</value>
</values>
</block>

HOLDING_REGISTERS can be considered as temporary data storage. You define them with the starting address and
their size. Holding registers don’t have any initial value.

SNMP

In the <snmp /> section you define a management information base (MIB). MIBs consist of a <symbol> with a
name attribute, and its <value>.

<symbol name="sysDescr">
<value>Siemens, SIMATIC, S7-200</value>
</symbol>

In the following example we will show how to include other MIBs. As an example we will add the ifNumber symbol
from the IF-MIB. First we have to download the IF-MIB and also the IANAifType-MIB since IF-MIB depends on
this:

10 Chapter 2. Usage
 Conpot Documentation, Release 0.6.0

wget http://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib
wget ftp://ftp.cisco.com/pub/mibs/v2/IF-MIB.my

Conpot will compile the MIB files automatically, but unless the MIB files are places in the current work directory, you
need to provide a path to the files using the ‘-a’ parameter (The path will be searched recursively for MIB files).:

sudo conpot -t my_custom_template.xml -a /opt/mymibs

Finally add your custom snmp configuration to the template:

<mib name="IF-MIB">
<symbol name="ifNumber">
<value>2</value>
</symbol>
</mib>

The value of the ifNumber symbol (2) implies that there is more than one interface - therefore there might be related
symbols that need identifiers to initialize several instances of a single symbol. To apply an instance id, add the
“instance” attribute to the symbol. Example:

<mib name="IF-MIB">
<symbol name="ifDescr" instance="1">
<value>This is the first interface</value>
</symbol>

<symbol name="ifDescr" instance="2">

<value>This is the second interface</value>
</symbol>
</mib>

If not specified, the default instance (0) is being assumed.

Several symbols feature dynamic values. Conpot can be instructed to deliver dynamic content by adding the engine
definition to the template. Example:

<mib name="SNMPv2-MIB">
<symbol name="sysUpTime">
<value>0</value>
<engine type="sysuptime"></engine>
</symbol>
</mib>

The example above always responds with the time in milliseconds since conpot was initialized.
Currently, the following engine types are implemented:
• increment Increments the value each time it is requested. Default incrementor: 1, resetting to initial value at
2147483647. Modified example: <engine type=”increment”>1:100</engine> ( => increment by 1, reset
at 100 )
• decrement Decrements the value each time it is requested. Default decrementor: 1, resetting to initial value at
-2147483648. Modified example: <engine type=”decrement”>1:0</engine> ( => decrement by 1, reset at
0)
• randominc Randomly increments the value each time it is requested. Default incrementor
range: 1-65535, resetting to initial value at 2147418112. Modified example: <engine
type=”randominc”>1:100:999</engine> ( => increment by rand(1,100), reset at 999 )

2.2. Customization 11
Conpot Documentation, Release 0.6.0

• randomdec Randomly decrements the value each time it is requested. Default decrementor range: 1-
65535, resetting to initial value at -2147418113. Modified example: <engine type=”randomdec”>1:100:-
999</engine> ( => increment by rand(1,100), reset at -999 )
• randomint Randomly assigns an integer. Default range: 1-65535. Modified example: <engine
type=”randomint”>1:100</engine> ( => assign a random integer between 1 and 100 )
• sysuptime Assigns the current uptime of the conpot process measured in milliseconds. Modified example:
<engine type=”sysuptime”></engine> ( => additional value will be used as a head-start )
• evaluate Assigns the result of value evaluated as python code ( eval ). Modified example: <engine
type=”evaluate”>random.randrange(0,100,10)</engine> ( => assign a random int between 0 and 100 in
steps of 10 )
• static Do not assign any value. This is default of no <engine> field is supplied and will always deliver the initial
value.
The SNMP interface can be configured to adjust its behaviour by adding the corresponding configuration directives to
the config area inside the snmp block:

<config>
<!-- Configure individual delays for SNMP commands -->
<entity name="tarpit" command="get">0.1;0.2</entity>
<entity name="tarpit" command="set">0.1;0.2</entity>
<entity name="tarpit" command="next">0.0;0.1</entity>
<entity name="tarpit" command="bulk">0.2;0.4</entity>

<!-- Configure DoS evasion thresholds (req_per_ip/minute;req_overall/minute) -->

<entity name="evasion" command="get">120;240</entity>
<entity name="evasion" command="set">120;240</entity>
<entity name="evasion" command="next">240;600</entity>
<entity name="evasion" command="bulk">120;240</entity>
</config>

The tarpit section slows down the delivery of SNMP responses. This is used to simulate slower devices that
would not respond to SNMP requests in a fraction of a second. The tarpit value should be specified in seconds and
milliseconds, using one or two floats. A single float, e.g. “3.5”, would introduce 3.5 seconds of delay before the
requested OID is delivered to the client. A pair of floats separated by a semikolon, e.g. “0.1;1.2”, would introduce a
random delay between 0.1 and 1.2 seconds, that is randomized every time an OID is requested.
Tarpits are configured individually for each type of request (get, set, next, bulk). If the corresponding request type is
not configured, answers are generated instantly.
The evasion feature is used for security reasons. Due to the fact that SNMP uses UDP for transport, it is prone to
address spoofing. Since SNMP responds to rather small requests with responses that contain bigger payloads, conpot
could be used as a relay for traffic amplification attacks.
In order to avoid (or at least mitigate) such attacks, the evasion feature has been introduced. For each request type an
individual threshold can be applied, consisting of two integers which are separated by a semikolon. As an example,
the evasion value “100:200” for get requests results in the following restrictions to be applied:
• First Integer (100) Specifies the number of requests allowed per IP per minute. As soon as the number of
requests / ip within 60 seconds exceeds the configured amount (e.g. 100), all subsequent requests will be
discarded until the number of requests by this IP address drops under the limit.
• Second Integer (200) Specifies the number of requests allowed overall / minute. “Overall” in this context
means: Requests of the respective command. In this example, as soon as the total number of get requests
within 60 seconds exceeds the configured amount (e.g. 200), all subsequent get requests, regardless of the
senders IP address, will be discarded until the number of get requests drops under the limit.

12 Chapter 2. Usage
 Conpot Documentation, Release 0.6.0

Keep in mind that snmpwalks are in fact a large number of next requests, while bulk requests may contain several
answers within one reply. Therefore, the evasion limits for next should be chosen more generous while the limits for
bulk requests should be kept rather conservative due to its risk of being abused for traffic amp attacks.

HTTP

In the <http> section, you may configure the characteristics of the web server we designed for conpot, as well as
each website and resource with its respective headers and behaviour. Last but not least, you can also control how and
when error codes and their respective error pages are delivered.
Let us talk about the global http configuration first:

<global>
<config>
<!-- what protocol shall we use by default? -->
<entity name="protocol_version">HTTP/1.1</entity>
<!-- if we find any date header to be delivered, should we update it to a
˓→real value? -->

<entity name="update_header_date">true</entity>
<!-- should we disable the HTTP HEAD method? -->
<entity name="disable_method_head">false</entity>
<!-- should we disable the HTTP TRACE method? -->
<entity name="disable_method_trace">false</entity>
<!-- should we disable the HTTP OPTIONS method? -->
<entity name="disable_method_options">false</entity>
<!-- TARPIT: how much latency should we introduce to any response by default?
˓→-->

<entity name="tarpit">0</entity>
</config>

<!-- these headers will be sent with each response -->

<headers>
<!-- this date header will be updated, if enabled above -->
<entity name="Date">Sat, 28 Apr 1984 07:30:00 GMT</entity>
</headers>
</global>

The comments along with each configuration item should provide enough information to understand what its actually
doing. Use the disable_method items to reflect the features actually provided by the real thing you’re trying to
resemble. If you choose to disable the update_server_date feature, the Date header will remain untouched
and deliver a static response each time a website is requested.
The headers section found within the global configuration stanza is added to each and every page that is being
delivered. Though, it will be overwritten by headers defined for individual resources if they are featuring the same
header name.
The tarpit section slows down the delivery of the web page. This is used to simulate slower devices that would not
deliver websites in a fraction of a second. The tarpit value should be specified in seconds and milliseconds, using one
or two floats. A single float, e.g. “3.5”, would introduce 3.5 seconds of delay before the requested page is delivered
to the browser. A pair of floats separated by a semikolon, e.g. “0.1;1.2”, would introduce a random delay between 0.1
and 1.2 seconds, that is randomized every time the resource is requested.
Let us head over to the htdocs area:

<!-- how should the different URI requests be handled -->

<htdocs>
<node name="/">
(continues on next page)

2.2. Customization 13
Conpot Documentation, Release 0.6.0

(continued from previous page)

<!-- force response status code to 302 -->
<status>302</status>
<headers>
<!-- these headers will be sent along with this response -->
<entity name="Content-Type">text/html</entity>
<entity name="Location">/index.html</entity>
</headers>
</node>
</htdocs>

Here we do all the configuration that allows conpot to deliver individual files. The HTTP engine will never try
to deliver a file that is not defined by a <node name=”$filename”> stanza, resulting in additional security against
directory traversal attempts etc.
The example above shows the entry point, which is requested by web browsers if just the domain or ip address, but no
web page has been specified by the user (Example: http://www.my-honeypot.com/ ).
Node names must be specified using absolute paths, starting from the web root ( “/” ). By default, requests that can be
served because they address paths specified here, will be answered with status code 200 (OK). If you want to return
an individual status code, you can use the <status>$statuscode</status> configuration item. The example
above shows the usage of status 302, which redirects the browser to another resource. In our case, this is “/index.html”.
All headers found within the <headers> section are appended to the headers found in the headers section we defined
in the global configuration block before. As mentioned before, duplicated header will be replaced with the most
specific one.
Requests for resources that are not specified within the XML, as well as requests that are specified but can not be
handled since the respective file can not be found within the template folder on the filesystem, will be answered with
a 404 (Not found) status response.

<node name="/index.html">
<!-- this tarpit will override the globally set tarpit for this node -->
<tarpit>0.0;0.3</tarpit>
<headers>
<entity name="Last-Modified">Tue, 19 May 1993 09:00:00 GMT</entity>
<entity name="Content-Type">text/html</entity>
<entity name="Set-cookie">path=/</entity>
</headers>
</node>

The root node ( “/” ) instructed the browser to redirect the user to “/index.html”. This configuration stanza shows few
entities we already know, along with an additional <tarpit> item, which works the same way as the tarpit entity
from the global section and replaces the global tarpit for this resource.

<node name="/index.htm">
<!-- this node will inherit the payload from the referenced alias node without
˓→telling the browser -->

<alias>/index.html</alias>
</node>

For added flexibility, we also introduced a way to configure aliases. Using the comfort of aliases, you can instruct
conpot to act on behalf of another (already configured) resource without needing to define all the configuration items
again. The example above uses the alias feature to answer to requests for “/index.htm”, even though the real resource
name is “/index.html”.
Please note that the browser will not be aware of this internal translation, since the alias is resolved by conpot itself.
Further, you can’t point to another alias, since (to prevent recursions) only one alias-level is being resolved.

14 Chapter 2. Usage
 Conpot Documentation, Release 0.6.0

<node name="/some_chunked_file.html">
<!-- this feature controls chunked transfer encoding -->
<chunks>130,15,30,110</chunks>
</node>

Dynamic pages are often delivered using chunked transfer encoding rather than content length encoding since the web
server might not know how big the actual content he delivers might get while dynamic content is being created. The
<chunks> directive enables chunked transfer encoding, delivering the website in several parts instead of a whole big
stream of data.
The configuration above shows a page that is delivered in 4 chunks which are 130, 15, 30 and 110 bytes in size. If you
happen to specify too less bytes and the page to be delivered happens to be larger than what you configured, conpot
will not truncate your file but append a final chunk that includes all the missing bytes that complete the request.
Chunks are sent subsequently, at the moment there is no tarpit applied between them.

<statuscodes>
<status name="400">
<!-- 400 (BAD REQUEST) errors should be super fast and responsive -->
<tarpit>0</tarpit>
<entity name="Content-Type">text/html</entity>
</status>
</statuscodes>

Status codes are specified the same way like htdocs, but instead of their absolute path, the status code itself is used to
identify the resource. Status codes support all the features we know from the htdocs described before, but they can not
be aliased to htdocs and vice versa.

<node name="/redirected-page">
<!-- this page is redirected to another web server -->
<proxy>10.0.0.100</proxy>
</node>

Requests to this page / resource will be forwarded to another webserver. Since conpot spawns the request to this
webserver, the feature is similar to a backproxy - the web browser will not notice any difference since conpot delivers
the resulting web page to the requesting client on behalf of the server that generated the content in first place.
This feature can also be applied to status codes. For example, if the proxy directive is applied to status code 404 (Not
Found), all requests that can not be handled by conpot itself are secretly forwarded to another system, which might be
the real device for higher interaction setups. If no resources other than the 404 status, are configured, this results in
each and every request to be forwarded to the other webserver on behalf of the client. This way, conpot can act similar
to a terminating honeywall in higher interaction setups for the HTTP protocol.

2.3 Human Machine Interfaces (HMI)

2.3.1 The default HMI

Yes, Conpot comes with a default ‘HMI’. If you run Conpot with the default configuration and no additional parame-
ters, it will serve the default page on port 80. The default page is just a plain text file which gets the ‘sysDescr’ from
the SNMP server. For example:

System is running: Siemens, SIMATIC, S7-200

2.3. Human Machine Interfaces (HMI) 15

Conpot Documentation, Release 0.6.0

2.3.2 Creating your own HMI

Manual HMI creation

The probably most painless way to customize your HMI is by modifying the default page. If you don’t want to mess
with the default files (‘recommended’) you can create a directory holding a custom index.html. In order to use the
custom HTML page you have to start Conpot with the following parameters:

# conpot -w <your new directory> -r <root page>

For example:

# conpot -w www/ -r index.html

We use jinja2 as template engine. Please refer to the default HMI template (conpot/www/index.html) for a
minimal example.

Crawling an existing HMI

We recommend to use the crawler only against your own applications! Usage on your own risk. Improper usage will
most likely damage the system.
In case you have access to a HTML HMI you can use to crawler to create a copy that’s compatible with Conpot’s
HTTP server.

# hmi_crawler --target http://<taget_domain> --www <target_dir>

# hmi_crawler -t http://localhost:80 -w dump/

This will dump a copy of the target web content into www. If you run Conpot now:

# conpot -w dump/ -r index.html

It will server the dumped web page as HMI.

16 Chapter 2. Usage
 CHAPTER 3

Development

Basics on how to develop Conpot

3.1 Guidelines

3.1.1 Developers Guide

Indentation

• We are using 4 tab-spaces

• No one line conditionals

Style

• We obey to the PEP8

Copyright

• If you are adding a file/code which is produced only by you, feel free to add the license information and a notice
who holds the copyrights.

Environment

• PyCharm is recommended.

17
Conpot Documentation, Release 0.6.0

Recommended git workflow

For contributors

0, You can do this step when you are on master, or feature_branch, anytime there are new commits in original project.
Just one-time add of remote:

git remote add mushorg https://github.com/mushorg/conpot.git

And rebase:

git fetch mushorg

git rebase mushorg/master feature_branch

This way, your feature_branch or master will be up-to-date.

1, For every feature, create new branch:

git checkout -b feature_branch

2, State what you do in commit message.

When you create pull request and get review, it is recommended to edit your original commits.
3a, If you want to change the last commit:

(make some changes in files)

git add file1 file2
git commit --amend

3b, If you want to change any of your previous commits:

git rebase -i HEAD~3 (can be HEAD~4, depends which commit you want to change, or you
˓→can type hash of previous commit)

change “pick” to “e”:

e e88a2f1 commit 1
pick bfd57e4 commit2

and save.

(make some changes in files)

git add file1 file2
git rebase --continue

Warning: Do not use ‘git commit’ in rebase if you don’t know what you are doing.
4, Look at your changes, and git force push to your branch:

git push -f feature_branch

5, Comment in pull request to let us know about your new code.

For maintainers

To avoid additional Merge commits, use cherry-pick:

18 Chapter 3. Development
 Conpot Documentation, Release 0.6.0

git checkout master

git remote add user https://github.com/user/conpot.git
git fetch user
(look at 'git log user/feature_branch')
git cherry-pick commit_hash
git push origin master
git remote rm user

Comment on pull request that you added it to master, and close pull request.
This approach is usefull for majority of pull requests (1-3 commits).
If you expect conflicts (a lot of commits in feature branch with a lot of changes) you can use GitHub Merge button.
Revert will be easier too.
Conflicts should not happen, if feature branch is rebased on current master.

3.2 Releasing Conpot

3.2.1 Update Readme

Update the README with the sample output and the new version.

3.2.2 Update Changelog

Update the Changelog.txt in the root folder with the changes since the last release.

3.2.3 Update Conpot version

Update conpot/__init__.py so it contains the new version string.

3.2.4 Check Tests

Make sure all tests are passing:

nosetests

3.2.5 Tagging and Pushing

Commit all the changes you want to have in the tag.

git tag -a Release_x.y.z -m 'release x.y.z'

git push origin --tags

Travis CI has been configured to deploy when it encounters a tag matching the regex:

^Release_\d{1,}\.\d{1,}\.\d{1,}

3.2. Releasing Conpot 19

Conpot Documentation, Release 0.6.0

Mess ups

If you fucked up a tag, you can fix it using the following procedure:
Renaming:

git tag new_tag old_tag

Delete the old tag:

git tag -d old_tag

Delete the old tag on remote:

git push origin :refs/tags/old_tag

3.2.6 Release

Build the package:

python setup.py sdist

Get the PKG-INFO from the .tgz in dist/package.tgz Create new release on PyPI and add PKG-INFO to new release.
Upload the .tgz

Update the documentation:

./docs/update-site.sh

20 Chapter 3. Development
 CHAPTER 4

Frequently Asked Questions

4.1 Sharing Data

With whom do we share?

Everyone who is interested and potentially shares data, results or helps improving the tool.
What’s the data volume?
Conpot has build-in support for HPFeeds, a generic data sharing protocol we are using in the Honeynet Project. This
means that potentially we are going to get all the data from every sensor with HPFeeds enabled.
Right now there is only a very small number of deployed sensors. HPFeeds is not enabled by default and probably
nobody is using a HMI to attract adversaries yet. So if you are lucky you will see an event every other day. We know
that with a HMI the traffic will be significantly higher as your sensor will be found using search engines.
What is the data format?
Raw data in JSON formatting.
How do I get the data?
There is a Python client which uses the HPFeeds library. About 40 lines of code. From there it’s quite easy to write
the data to a database. You can find an explanation on how it works here.
What do I have to do?
If you want to have access to the Conpot data, you have to create a HPFriends account. As soon as you accept the
share, you can create an authkey. You can modify the client with the auth keys credentials. The client should be self
explaining. You can extend the client so it fits your needs (e.g. logging to a database).
How do I test this?
As soon as you have Conpot set-up it should be easy to create some traffic for testing.

21
Conpot Documentation, Release 0.6.0

22 Chapter 4. Frequently Asked Questions

 CHAPTER 5

Indices and tables

• genindex
• modindex
• search

23