Detection Modules
Trapster emulates network services attackers probe during reconnaissance and lateral movement. Connection and login attempts are logged; credential submissions are captured when the protocol supports it.
Enterprise Enterprise
Configure services from the dashboard:
- Open Trapsters and select a device
- Go to the Services tab
- Add or edit services
From each service row you can also Generate breadcrumb to create a decoy tied to that Trapster. See Breadcrumbs.
Enterprise Trapsters can also run background plugins (port scan and LLMNR detection) from the device Settings tab. See Plugins.
VM-only features
Port scan detection and some services are only available on VM deployments. See Trapsters: deployment constraints.
Community Edition Community
Trapster Community is a free, open-source honeypot you can run on any Linux machine. It emulates common network services and logs every connection and credential attempt it receives.
There is no dashboard. Events are printed to the terminal by default, or forwarded to a file, API, or Redis if you configure a logger. For a managed dashboard, SIEM integrations, breadcrumbs, and honeytokens, see Trapster Enterprise.
Install and run
python3 -m venv venv
source venv/bin/activate
pip install trapsterConfiguration wizard
bash scripts/trapster-wizard.sh
python3 main.py -c ./trapster.generated.confThe wizard walks through global settings, interface selection, service selection with port customization, and logger output, then writes ./trapster.generated.conf.
Privileged ports
Default ports are well-known (21, 22, 80, and others). Use sudo -E to preserve your activated virtual environment when binding those ports.
What you will see
Once running, Trapster logs every interaction to the terminal. A login attempt on the HTTP service looks like this:
{
"device": "trapster-1",
"logtype": "https.login",
"src_ip": "192.168.1.42",
"timestamp": "2025-02-28 18:53:18",
"extra": {
"method": "POST",
"target": "/logincheck",
"username": "admin",
"password": "admin"
}
}Each event includes the source IP, timestamp, and what the attacker submitted. See Logging to forward events elsewhere.
Next steps
- HTTP Honeypot: web skins and YAML templates
- Plugins: port scan and LLMNR detection (Enterprise)
- Logging: forward events to file, API, or Redis
- GitHub: source code and issue tracker
