T-Pot installation types

[ScorpionKing34]

Dear developers,

I am doing research on honeypots and how to use them for building sensor rules to detect attacks and to graduate from University Business IT. I like to use T-Pot in a Proof of Concept environment. You wiki is easy to follow but I am trying to figure out what the goal/ purpose of each installation type is, but the wiki/readme does not provide the answer what I looking for. Can you please tell me what the goal/ purpose of the installation types is:

• Standard
• Sensor
• Industrial
• Collector
• NextGen
• Medical

I see which tools are being use by different installation type.
I hope to get an answer before 2 march. In the meantime I will search the internet for possible answer.

With kind regards from,
ScorpionKing34

[ehnwebmaster]

Here's all the info:
https://github.com/telekom-security/tpotce#installation-types

But I understand that for newbies is too much information and not everything is explained. T-Pot is really great but is "big" because is using a lot of honeypots types, that'ts why they let choose us wich do you want to run. Or wich services are you able to open ports and expose to internet (in case you're behind a router).

The different installation types just varies the honeypots are used.

Standard (8GB RAM) and Sensor (4GB) are pretty the same honeypots (just varies honeypy), but "sensor" doesn't show up the results via web gui (ELK: Elastic Search, Logstach and Kibana) for that reason requieres half RAM. And doesn't include two "extra" tools cyberchef and spiderfoot (those are not honeypots). Kibana is really nice graphic - interface, but consumes too much resources and ram, just depends the hardware (cpu, ram, disk) you can afford (no matter if is real hardware, virtual machine, etc).

Nexgen is exactly the same but uses glutton

Once installed, you can change the version (installation type) at any time runing:

sudo /opt/tpot/bin/tped.sh

Here is a list with the ports used byt every honeypot:

name (honeypot) --> port (service) tcp/upd

cowrie --> 22 (ssh) -23 (telnet) tcp
mailoney --> 25 (smtp) tcp
snare (tanner) --> 80 tcp
citrixhoneypot --> 443 tcp
rdpy --> 3389 (rdp) tcp
dionaea --> 445 tcp (samba), 69 udp (tftp), 135 (rpc), 3306 (MySQL), 21 (ftp), 81, 1433 (SQL)
heralding --> 110 (pop), 143 (imap), 993 (imaps), 995 (pop3s), 1080 (socks5), 5432 (PostgreSQL), 5900 (vnc)
adbhoney -> 5555 (tcp)
dicompot --> 11112
ciscoasa --> 5000/udp 8443 (tcp)
Conpot IEC104 --> 161 udp (snmp) and 2404
Conpot guardian_ast --> 10001
Conpot ipmi --> 623 (udp)
Conpot kamstrup_382 --> 1025 and 50100
HoneySAP --> 3299
Medpot --> 2575

Hope this helps.

[ScorpionKing34]

Thanks for the information, but I am trying to find out why en when you should use Standard, Sensor, Industrial, Collector, NextGen and Medical installations. after every installation must be an idea behind it? For example, is the goal of Sensor installation to detect only attacks? or does it provide other goals?

With this information I can give well-founded advice to install and use a type of honeypot in mine report.
I'll hope to hear from you soon and thanks for your time and effort.

[t3chn0m4g3]

Migrated this to discussions, since not an issue.

[ScorpionKing34]

Thx for migrated to discussions, I'll hope to get soon a good answer.

[lcia-projects]

@ScorpionKing34 it really depends on what your goals are..
each tpot install type is a little different. which one you use will determine the kinds of information you get back.. and what you plan to do with that data.

"standard" and "nextgen" are kinda the "kitchen sink" approach to honeypots.. they basically collect everything.. the downside to these is they "look" and "feel" like honeypots to any hacker with any skill at all. if all you are trying to gather is botnets, viruses, worms, and automated attacks.. these are great.. If you want to get someone behind a computer ( a hacker) to really go after your machine, you have to make it look a little less like a honeypot/trap. Thats harder to do.

But i'd start with standard or nextgen just to get comfortable with the system.. and learn what kinds of data you can recieve.. then go from there.