andreicscs @ andreicscs @lemmy.world

Posts

4

Comments

18

Joined

4 days ago

Hey! I just released a hotfix for the Hub to polish the deployment UX and make some minor UI improvements. While I was at it, I took the chance to add the events export feature you requested, It is now possible to download event logs straight from the events table in the dashboard view. Let me know what you think!

That explains it, i still find it weird that the hub was crashing too, but the issue is now solved either way. I just released a hotfix for the sensor. I also released a hotfix for the hub to polish deployment UX and fix a minor issue with sensor updates, i recommend you run 'docker compose up -d --pull always hub' to update the hub and, you should be able to update the sensor from the hub if you haven't already.

Thanks for the help!

Thank you so much for the additional info, since you used the wizard this shouldn't have happened at all. Can i also ask what port you originally had the hub on?

bumping up the port won't cause any issues at all!, it is what the wizard should have done once it realized the port was already in use. You can run the decoys on any ports you want as long as they are not already bound to that host. I'm glad to hear everything else worked as intended and that the Firedrill successfully triggered your notifications

I have already found the issue and I'm pushing an hotfix for the tcp tarpit sensor right now. Your feedback was very helpful!

Since you've got it running, I'd love to use this opportunity to get your thoughts on the sensor updating process whenever you get a chance to try it.

I see, i get your feelings about GitHub, i checked out your post and it really is an annoying problem, I'll see what i can do for you and others who can't access GitHub. For now anyone who has trouble accessing GitHub, please feel free to either reach out right here on this post, or via email at info@honeywire.dev.

As for the issue, it would be great if you could provide a little more information about your deployment. Did you use the setup wizard, or did you go with a manual deployment? What does your compose file look like? (It will be located at /opt/honeywire/sensors/honeywire-compose.yml if you used the setup wizard).

The setup wizard is built to prevent you from applying a conflicting config to the node, so this is either a bug with the wizard's environment checks, or a manual deployment that happened to use conflicting ports.

The containers crashing and only showing logs from the last start is definitely interesting behavior. My best guess until I see the config and deployment type is that the Docker daemon hit a fatal error on the port collision panicked and kept restarting the containers, forcing the previous logs to clear as well.

Well, you could use it for blue team simulations i guess, but not really, it is a Deception platform, meaning it is a tool used to deploy micro honeypots, or as i like to call them, tripwires, that report back to the hub as soon as they are tripped. Since these tripwires offer no real services or value every interaction with them is pretty suspicious, meaning that if something for example tries to poke around a server that has been deployed with HoneyWire tripwires, it will report back to the hub with information about what interacted with it, when, where, and what was done. Check the project's official website for more details: https://honeywire.dev/ You can also check out the concept of Canaries on Thinkst Canary s website i think they do a great job explaining the idea https://canary.tools/.

Hi thanks for the report! I understand wanting to avoid github I'll consider alternatives! But for now github is the most convinient for the for the project.

Could you provide details about the environment you are deploying in and what your honeywire-compose.yml file generated by the hub looks like?

I'd love to look into your specific edge case it would be awesome if you could provide info that would help me debug it!

You could try to run 'docker logs hw-sensor-tcp-tarpit' command and see if it shows any useful info about the crash

Are you deploying the sensors in the same host as the hub ? If so, What ports are you running the tcp tarpit sensor on and what port is the hub running on ?

The Tarpit sensor crashing is strange, but the Hub crashing too is a huge red flag that I need to fix, a dead sensor should never take down the main Hub!

Thanks! I'd love to get some feedback if you end up trying it out!

No problem at all, i get it! If you end up actually taking a look at the project or even deploying it I'd love to get some feedback on it, I'm currently starving for feedback and opinions 😂

I agree! Not all AI usage is bad, it definitely can be if you just copy paste its output or let it "build" on its own, but it can be a great tool if used correctly. At the end of the day the best "harness" for ai is the dev himself.

Thanks for the feedback! Not quite, but I get the skepticism with how many low-effort vibecoded projects are launching right now! I'd love for you to take a look at the project (or my other projects), I'm not a vibe coder, and I'm not new at coding at all. This project is 3 months old and as you can see from the commit history I've been consistently fixing things and adding new features to it since when it first launched. This is the v2.0 release, there were other releases before over the course of the last few months, this update in particular is a Security and UX update focused on improving supply chain security, and deployment friction. Feel free to check out the changelogs for a closer look at the changes: https://github.com/andreicscs/HoneyWire/blob/main/CHANGELOG.md

I'm sharing this tool because it fixed a personal problem, and i noticed many others had the same feelings regarding available deception technology options especially in OSS.

Will do, my bad, thanks for the clarification!

Hey, creator of HoneyWire here! Wow, thank you so much for sharing this, digicat!

I built this because I wanted high-fidelity network canaries in my lab but hated enterprise pricing and didn't want to manage persistent background orchestration daemons across all my hosts to make other OSS alternatives work.

To give a quick breakdown for the blue team here: it uses a point-in-time CLI wizard to deploy hardened, distroless Docker traps, and then the setup agent completely exits. It's got a centralized UI with fleet management, built-in SIEM forwarding and push notifications. Thanks to the UI fleet management and setup wizard cli tool it takes less then 60 seconds to deploy sensors on a new node.

I'd love to hear what this community thinks of the architecture!

Glad to hear it fits your home network use case! I'd love to know how your deployment goes please feel free to drop any feedback (good or bad) once you get it running!

To answer your questions:

Each sensor decoy image is under 5MB, built as a distroless container running a single, statically compiled Go binary. i built it to hopefully be compatible with any hardware you may have available.

There is currently no way to export events logs, I'll add that to the todo list!

Thanks so much for taking the time to check out the codebase and ask these!

Thanks so much! I'd love to get your feedback if you end up deploying it. I've been staring at this codebase for so long that I'm sure I have some tunnel vision and might be blind to obvious issues. Let me know what you think!

I appreciate the feedback and the 2p! I definitely don't take it personally. I completely understand the skepticism around AI in this community, which is why I don't hide it. At the end of the day, the core engine, the distroless container architecture, and the threat model were entirely engineered by me. HoneyWire is fully open-source and transparent, so anyone is welcome to audit the codebase. I also have several other public, non-AI projects on my GitHub if anyone wants to vet my background. But fair point I’ll make sure to be more upfront about using it as a scaffolding tool in future posts

No issue that's a completely fair question, yes AI was used as an accelerator for writing boilerplate code, scaffolding the initial UI layout, and helping me structure the documentation. However, the core security logic, container architecture, and threat model were entirely designed and verified by me. I have about 8-9 years of software development experience. While HoneyWire is my first major public release, it’s the culmination of years of building internal tools, network utilities, and lab environments.

Because security is the primary focus, I deliberately designed the architecture to minimize risks. I highly encourage you to review the source code on GitHub, I'd be happy to receive feedback about the architecture or any threat-modeling critiques!

AI Disclosure: As a student and solo developer/maintainer, I used AI as a "junior dev" during project development to help accelerate boilerplate writing and documentation. All core architecture, system structure, and security logic were fully designed and implemented by me.

That's exactly how it works. You deploy these low-interaction decoys (traps) across your internal network to act as tripwires. Since legitimate users have no reason to touch them, any interaction is a high-fidelity alert indicating a potential breach or lateral movement. Right now, you can spin up a few different types of traps, like a network scan detector that sits completely quietly and triggers an alert if it detects a port or network scan hitting that specific node, or a Web Router Login Page, that looks like a legacy admin interface and instantly alerts you if someone tries to brute-force or log in. The best part about HoneyWire's architecture is that developing new sensors is the easiest part, so the ecosystem is designed to be highly extensible as the community grows.