Skip to content

HTTP Honeypot Enterprise Community

The HTTP service serves web skins (login pages, admin portals, APIs) and logs every request. Credentials arrive via HTML forms, SOAP bodies, or HTTP Basic Authentication.

Enterprise configuration

Configure from Trapsters → device → Services → HTTP or HTTPS:

ParameterDescription
portListen port
skinWeb template (IIS, FortiGate, GitLab, Tomcat, etc.)
basic_authWhen on, send a Basic Auth challenge; log credentials; never grant access (no accept credentials in Enterprise)

What gets captured

Every request logs source IP, method, path, headers, skin name, and status code.

EventWhen
Request receivedTypical GET/HEAD requests, or 401 challenge with no credentials
Login attemptPOST/PUT/PATCH with body, or Basic Auth credentials in Authorization

Login events include extracted username and password from form fields and SOAP/XML credential tags.

Community configuration

json
"http": [
  {
    "port": 8080,
    "skin": "default_apache",
    "basic_auth": false,
    "username": null,
    "password": null
  }
]

Parameters

ParameterTypeDefaultDescription
portinteger(required)TCP port
skinstringdefault_apacheSkin under trapster/data/http/
basic_authbooleanfalseRequire HTTP Basic Authentication before serving the skin
usernamestringnullCommunity only. Expected username when basic_auth is true
passwordstringnullCommunity only. Expected password when basic_auth is true

When basic_auth is on without username / password, every attempt is logged and denied (same as Enterprise). Set both to accept a known pair and reach the skin - useful with demo_api or demo_ai in lab setups only.

Community skins

SkinUse
default_apacheApache default page
default_nginxNginx welcome page
fortigateFortiGate login
demo_apiSimple REST API decoy
demo_aiResearch. AI-generated responses (optional AI dependencies)

Custom skins live in trapster/data/http/<skin>/ with config.yaml, files/, and templates/. Endpoints can include an ai: prompt block. See HTTP Templates.

The default HTTPS config serves a FortiGate login page. A successful login POST produces a log like:

json
{
  "device": "trapster-1",
  "logtype": "https.login",
  "dst_ip": "127.0.0.1",
  "dst_port": 8443,
  "src_ip": "127.0.0.1",
  "src_port": 45182,
  "timestamp": "2025-02-28 18:53:18.498008",
  "extra": {
    "method": "POST",
    "target": "/logincheck",
    "username": "admin",
    "password": "admin"
  }
}

Research: AI responses

Community Edition can use the demo_ai skin or ai: routes in custom skins. These patterns are easier to fingerprint as honeypots - treat them as research tooling, not production deception.

Multiple HTTP services

json
"http": [
  { "port": 80, "skin": "fortigate" },
  { "port": 8080, "skin": "tomcat", "basic_auth": true }
]

Port 80 serves the FortiGate HTML login form. Port 8080 mimics a Tomcat-style endpoint behind Basic Auth (log every attempt, deny all in Enterprise).