Skip to content

Detection Modules

Trapster emulates network services attackers probe during reconnaissance and lateral movement. Connection and login attempts are logged; credential submissions are captured when the protocol supports it.

Enterprise Enterprise

Configure services from the dashboard:

  1. Open Trapsters and select a device
  2. Go to the Services tab
  3. Add or edit services

From each service row you can also Generate breadcrumb to create a decoy tied to that Trapster. See Breadcrumbs.

Enterprise Trapsters can also run background plugins (port scan and LLMNR detection) from the device Settings tab. See Plugins.

VM-only features

Port scan detection and some services are only available on VM deployments. See Trapsters: deployment constraints.

Community Edition Community

Trapster Community is a free, open-source honeypot you can run on any Linux machine. It emulates common network services and logs every connection and credential attempt it receives.

There is no dashboard. Events are printed to the terminal by default, or forwarded to a file, API, or Redis if you configure a logger. For a managed dashboard, SIEM integrations, breadcrumbs, and honeytokens, see Trapster Enterprise.

Install and run

bash
python3 -m venv venv
source venv/bin/activate
pip install trapster

Configuration wizard

bash
bash scripts/trapster-wizard.sh
python3 main.py -c ./trapster.generated.conf

The wizard walks through global settings, interface selection, service selection with port customization, and logger output, then writes ./trapster.generated.conf.

Privileged ports

Default ports are well-known (21, 22, 80, and others). Use sudo -E to preserve your activated virtual environment when binding those ports.

What you will see

Once running, Trapster logs every interaction to the terminal. A login attempt on the HTTP service looks like this:

json
{
  "device": "trapster-1",
  "logtype": "https.login",
  "src_ip": "192.168.1.42",
  "timestamp": "2025-02-28 18:53:18",
  "extra": {
    "method": "POST",
    "target": "/logincheck",
    "username": "admin",
    "password": "admin"
  }
}

Each event includes the source IP, timestamp, and what the attacker submitted. See Logging to forward events elsewhere.

Next steps

  • HTTP Honeypot: web skins and YAML templates
  • Plugins: port scan and LLMNR detection (Enterprise)
  • Logging: forward events to file, API, or Redis
  • GitHub: source code and issue tracker