HTTP Honeypot Enterprise Community
The HTTP service serves web skins (login pages, admin portals, APIs) and logs every request. Credentials arrive via HTML forms, SOAP bodies, or HTTP Basic Authentication.
Enterprise configuration
Configure from Trapsters → device → Services → HTTP or HTTPS:
| Parameter | Description |
|---|---|
port | Listen port |
skin | Web template (IIS, FortiGate, GitLab, Tomcat, etc.) |
basic_auth | When on, send a Basic Auth challenge; log credentials; never grant access (no accept credentials in Enterprise) |
What gets captured
Every request logs source IP, method, path, headers, skin name, and status code.
| Event | When |
|---|---|
| Request received | Typical GET/HEAD requests, or 401 challenge with no credentials |
| Login attempt | POST/PUT/PATCH with body, or Basic Auth credentials in Authorization |
Login events include extracted username and password from form fields and SOAP/XML credential tags.
Community configuration
"http": [
{
"port": 8080,
"skin": "default_apache",
"basic_auth": false,
"username": null,
"password": null
}
]Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | (required) | TCP port |
skin | string | default_apache | Skin under trapster/data/http/ |
basic_auth | boolean | false | Require HTTP Basic Authentication before serving the skin |
username | string | null | Community only. Expected username when basic_auth is true |
password | string | null | Community only. Expected password when basic_auth is true |
When basic_auth is on without username / password, every attempt is logged and denied (same as Enterprise). Set both to accept a known pair and reach the skin - useful with demo_api or demo_ai in lab setups only.
Community skins
| Skin | Use |
|---|---|
default_apache | Apache default page |
default_nginx | Nginx welcome page |
fortigate | FortiGate login |
demo_api | Simple REST API decoy |
demo_ai | Research. AI-generated responses (optional AI dependencies) |
Custom skins live in trapster/data/http/<skin>/ with config.yaml, files/, and templates/. Endpoints can include an ai: prompt block. See HTTP Templates.
The default HTTPS config serves a FortiGate login page. A successful login POST produces a log like:
{
"device": "trapster-1",
"logtype": "https.login",
"dst_ip": "127.0.0.1",
"dst_port": 8443,
"src_ip": "127.0.0.1",
"src_port": 45182,
"timestamp": "2025-02-28 18:53:18.498008",
"extra": {
"method": "POST",
"target": "/logincheck",
"username": "admin",
"password": "admin"
}
}Research: AI responses
Community Edition can use the demo_ai skin or ai: routes in custom skins. These patterns are easier to fingerprint as honeypots - treat them as research tooling, not production deception.
Multiple HTTP services
"http": [
{ "port": 80, "skin": "fortigate" },
{ "port": 8080, "skin": "tomcat", "basic_auth": true }
]Port 80 serves the FortiGate HTML login form. Port 8080 mimics a Tomcat-style endpoint behind Basic Auth (log every attempt, deny all in Enterprise).
