Skip to content

How do I...?

Find your question below and jump straight to the answer.

Installation

How do I install Trapster?

Community: clone trapster-community and run docker compose up --build, or use Python/systemd. Run bash scripts/trapster-wizard.sh to generate ./trapster.generated.conf, then copy it to trapster/data/trapster.conf before restarting.
Enterprise: register at trapster.cloud, accept the EULA, then deploy from Trapsters → + and accept the pending device when it appears.

What is the difference between Community and Enterprise?

Both emulate the same core protocols. Community is open-source (AGPL), config-file driven, and logs to terminal, file, API, or Redis, with optional AI-powered HTTP responses. Enterprise adds the web dashboard, incidents and Threat Graph, breadcrumbs, honeytokens, RBAC (four roles), namespaces, SSO, plugins (LLMNR, port scan), and native SIEM integrations plus a REST API. SMB, Kerberos, and the port scan plugin require a VM deployment in Enterprise.

What are the hardware requirements?

Community: 512 MB RAM, 1 vCPU, 500 MB disk; Python 3.11+ or Docker 20.10+. No outbound connectivity unless you use the API logger.
Enterprise VM: 2 GB RAM, 1 core, routable IP, outbound HTTPS to domain_id.trapster.cloud. Docker and Kubernetes deployments use host networking and share the host's resources.

How do I deploy the Enterprise VM on my hypervisor?Enterprise

Open Trapsters, click the + card, and choose your platform in Deploy a new Trapster : choose your preferred type. Download the image or config, deploy it on your network, then wait 2–3 minutes and click Accept when the device appears as pending. Requires Administrator or Member role.

How do I set a static IP on the Enterprise VM?Enterprise

Connect to the VM console from your hypervisor and log in as trapster (password shown in the deploy wizard). Open the local menu → Network configuration, enter IP, netmask, gateway, and DNS, click Enable static IP, then reboot. The VM uses DHCP by default; container deployments inherit the host network instead.

Detection Modules

How do I deploy an HTTP honeypot?

Community: add an http array to trapster.conf with a port and skin, plus optional basic_auth. Built-in skins include default_apache, default_nginx, fortigate, demo_api, and custom YAML skins under trapster/data/http/.
Enterprise: open Trapsters → Services, add HTTP, and pick a skin (Apache, IIS, FortiGate, GitLab, Tomcat, and others). Enterprise always logs and denies. It never grants access on login.

How do I make the HTTP honeypot look like a Fortigate login page?

Set "skin": "fortigate" in your Community http or https block. The default HTTPS demo config already serves a FortiGate login form. On Enterprise, choose the FortiGate skin from the service editor, often paired with HTTPS on port 443.

How do I add HTTPS with a custom certificate?

Add an https block with key and certificate paths to PEM files. If either path is missing, Trapster generates a 2048-bit RSA self-signed certificate on startup with a CN matching your configured hostname. LDAPS uses the same pattern under trapster/data/ssl/ldaps/.

How do I capture SSH credentials?

Add an ssh block with a realistic version string and optional banner. Every username, password, and public-key attempt is logged; authentication always fails from the attacker's perspective.

How do I emulate a Windows file share (SMB)?Enterprise

Enable SMB from Trapsters → Services on a VM deployment (not available on Docker or Kubernetes). Set a realistic share name, hostname, and domain; Trapster captures connection attempts and NTLM credentials. You can optionally join an Active Directory domain for more realistic authentication.

How do I detect Kerberoasting or AS-REP roasting?Enterprise

Enable the Kerberos service on a VM deployment and set the realm to match your Active Directory domain. Trapster emulates a domain controller and logs AS-REQ, TGS-REQ, and credential spray attempts, including AS-REP roasting and Kerberoasting patterns.

How do I avoid false positives from my internal scanner?

Community: add the scanner IP to the top-level whitelist_ips array in trapster.conf. Events from those addresses are dropped entirely.
Enterprise: open the Trapster detail page and add IPs under Whitelist IPs. SNMP services are especially noisy; whitelist your monitoring tools before enabling them.

How do I run multiple services on different ports?

Add multiple objects to the same service array in trapster.conf, each with its own port (and skin or banner as needed). All listeners start concurrently. On Enterprise, add separate service rows from the dashboard, each with its own port and configuration.

How do I generate a config interactively?Community

From a repo checkout, run bash scripts/trapster-wizard.sh (requires Python 3). It walks through global settings (id, hostname, domain, whitelist, interface), a numbered catalog of 15 services where you can change each listener's port, logger output (terminal, file, api, redis) and format (default or ecs), then writes ./trapster.generated.conf.

Alerting

How do I receive alerts when a honeypot is triggered?

Community: set logger.output in trapster.conf to terminal, file, api, or redis. Only one output is active at a time.
Enterprise: incidents appear on the Incidents page automatically. For outbound delivery, configure Settings → Integrations (webhooks, syslog, distribution emails). Personal inbox email is separate under Settings → Notifications.

How do I send alerts to Microsoft Teams?

Enterprise: create a Teams workflow webhook in Microsoft, then add it under Settings → Integrations → Webhooks with type Teams. Scope it to namespaces and action types as needed.
Community: set "output": "api" and point kwargs.url at the Teams workflow URL.

How do I forward events to Splunk?

Enterprise: add a webhook under Settings → Integrations with type Splunk and your HEC token and URL, or forward CEF over syslog.
Community: set "output": "api" with Authorization: Splunk <hec-token> in headers, or write NDJSON to a file and tail with Splunk Universal Forwarder.

How do I forward events to Microsoft Sentinel?

Enterprise: configure syslog under Settings → Integrations → Syslog to a Log Analytics agent or collector that parses CEF, or use a custom webhook.
Community: POST ECS-formatted events via the API logger ("format": "ecs") to an HTTP Data Collector endpoint, or ship file output with a log agent.

How do I forward events to Wazuh?

Enterprise: add the Wazuh manager under Settings → Integrations → Syslog (UDP/TCP/TLS on port 514). Trapster sends CEF-formatted incidents; add a custom Wazuh rule to raise severity.
Community: write JSON or ECS logs to a file and ingest with Filebeat, or POST via the API logger.

How do I forward events to Sekoia?Enterprise

Create a Trapster intake in Sekoia, then add a webhook under Settings → Integrations with type SEKOIA and paste your intake key. No agent or middleware required. Incidents are forwarded as structured JSON.

How do I write events to a file on disk?Community

Set "output": "file" with a logfile path and optional mode (a to append, w+ to truncate on start). Events are written as NDJSON (one JSON object per line), directly ingestible by Elastic Agent, Filebeat, or Splunk UF.

How do I POST events to a custom HTTP endpoint?Community

Set "output": "api" with kwargs.url and any auth headers (Bearer tokens, API keys, etc.). Each event is POSTed as JSON. Combine with "format": "ecs" if your collector expects Elastic Common Schema.

How do I use ECS log format for Elastic or Wazuh?Community

Set "format": "ecs" in the logger block. Optional kwargs: ecs_version (default 8.11.0) and observer_name. Works with any output channel: terminal, file, API, or Redis.

How do I push events to a Redis queue?Community

Set "output": "redis" with host and port in kwargs. Each event is pushed as a JSON string to a Redis list, which is useful for decoupling collection from processing.

How do I receive email alerts?Enterprise

Two layers: Settings → Notifications controls email to your user account (all incidents, login attempts only, or off). Settings → Integrations → Emails adds org-wide distribution addresses like soc@company.com. Incident emails are debounced; honeytoken triggers are sent immediately.

How do I forward events via Syslog?Enterprise

Configure one or more destinations under Settings → Integrations → Syslog. Choose host, port, protocol (UDP/TCP), optional TLS, and severity. Trapster sends incidents in CEF (Common Event Format), not raw JSON. Use Send test from the row menu to verify connectivity.

Dashboard

How do I triage incidents in the dashboard?Enterprise

Open Incidents. Use the New tab for unacknowledged alerts, Acknowledged for items you've reviewed, and All for history. Open an incident for timeline, source IP, credentials, and breadcrumb placement notes. Acknowledge individually or in bulk; export to CSV. Breadcrumb credential use is auto-severity Critical.

How do I visualize attack paths?Enterprise

On the Incidents page, switch to the Threat Graph tab. Attackers (grouped by source IP) connect to Trapster nodes with numbered sequence markers showing which services were hit. Filter by 7, 30, or 90 days to focus on recent campaigns.

How do I configure a Trapster after it registers?Enterprise

After accepting a pending Trapster, open it from Trapsters to configure identity (hostname, domain join), network (DHCP or static), services, plugins (LLMNR; port scan on VM only), whitelist IPs, and breadcrumbs. VM accept applies a default template (Windows Server 2022); Docker/K8s accept applies a Debian Server template.

How do I organise Trapsters across multiple sites or teams?Enterprise

Create namespaces from Settings → Namespaces (Administrators only). Assign users to namespaces when inviting them. Namespace scope applies to Trapsters, incidents, honeytokens, breadcrumbs, and integrations throughout the product. Use the sidebar namespace switcher to filter your view.

What is the difference between internal and external Trapsters?Enterprise

Trapster labels each device Internal or External based on observed traffic. You do not set this manually. Internal Trapsters (user VLANs, server segments) raise full incidents for connections, logins, breadcrumbs, and port scans. External Trapsters (DMZ, cloud edge) de-prioritize internet background noise so internal alerts stay actionable.

How do I check if a Trapster is internal or external?Enterprise

Open Trapsters in the sidebar. Use the filter tabs at the top (All, Internal, External, or Offline) to show only Trapsters in that class. When a Trapster becomes External, you will also see an Info incident on the Incidents page.

Honeytokens

What is a honeytoken?Enterprise

A standalone decoy (a URL, Office file, QR code, or JavaScript snippet) created in the dashboard. When someone opens or visits it, Trapster records the interaction and raises an incident. No Trapster deployment is required on your network.

Should I use a honeytoken or a breadcrumb?Enterprise

Honeytoken: lightweight tripwire you can drop anywhere (email drafts, shared folders, QR posters, website embeds) without touching a real machine. Tells you someone accessed your decoy.
Breadcrumb: fake credential or shortcut planted on a real endpoint, tied to a specific Trapster. Tells you which machine was compromised when the attacker reuses what they found.

How do I create a honeytoken?Enterprise

Open Honeytokens → Add Honeytokens (or use Create on the Incidents page). Pick a type, enter a placement Note (required), configure options, then copy the URL, download the file/QR, or copy the JS snippet. Requires Administrator or Member role; the honeytoken is created in your current namespace.

How do I protect my login page from being cloned?Enterprise

Create a JS Clone honeytoken and embed the snippet in your login page's <head>. If an attacker clones the page and leaves the snippet in place, any visit to the clone triggers an incident, even if they changed URLs and branding elsewhere.

What honeytoken types are available?Enterprise

Eight types: URL, URL (redirect), QR Code, QR Code (redirect), Microsoft Word (.docx), Excel (.xlsx), PowerPoint (.pptx), and JS Clone. Redirect variants send the visitor to a page you choose after logging the trigger. Optional browser fingerprinting is available on redirect types.

What is a breadcrumb?Enterprise

A decoy artifact (fake credential, shortcut, or config file) planted on a real machine and pointing at your Trapster. When an attacker finds and uses it, Trapster raises a Critical incident. Unlike a normal honeypot hit (someone probing your network), a breadcrumb tells you a specific endpoint was already compromised.

How do I know which machine was compromised?Enterprise

When a breadcrumb fires, open the incident on the Incidents page. The detail view includes the placement note you wrote when generating the breadcrumb (for example, "Placed in Documents on WORKSTATION-42"). That note is your record of which machine you deployed the decoy on. Write descriptive notes at creation time; they are the primary way to tie an alert back to a specific endpoint.

How do I create a breadcrumb?Enterprise

Open Trapsters → device → Services, click Generate breadcrumb on a service row, choose a format (filtered by service type), add a placement note, toggle Include decoy credentials (auto-generated; on by default), then download and deploy the file or script on the target machine.

How do I plant a breadcrumb on a Windows machine?Enterprise

Choose from 19 formats depending on the service: FileZilla, PuTTY, WinSCP, RDP shortcut, HTTP/HTTPS shortcuts, PowerShell history or script, PowerShell SSH/SMB scripts, Windows SMB shortcut, password file, MySQL config, PostgreSQL pgpass, MSSQL script, and more. Each type includes a deployment script or import instructions.

How do I plant a breadcrumb on a Linux machine?Enterprise

Common Linux formats: bash history entry, bash script (.sh), password file, MySQL ~/.my.cnf, PostgreSQL ~/.pgpass, and HTTP/HTTPS shortcuts (also work on macOS). The wizard filters available formats to those matching the service you generate from.

How do I drop a fake password file to lure attackers?Enterprise

Generate a Password File breadcrumb from any service row, deploy it to Documents or a shared folder, and rename it to something attractive like passwords.txt or vpn-credentials.txt. With decoy credentials enabled, Trapster embeds an auto-generated username/password pair.

My breadcrumb is showing as stale. What do I do?Enterprise

A breadcrumb goes Stale when the Trapster's IP changes after the breadcrumb was created. The embedded address no longer reaches the honeypot. Regenerate from the Trapster's Services tab and redeploy on the target machine. Check the Breadcrumbs tab for Active/Stale/Triggered status.

Why do breadcrumbs use unique credentials?Enterprise

Each breadcrumb gets a unique auto-generated identifier: a username/password pair, HTTP path, or SMB share name depending on format. When the attacker uses that exact value, Trapster matches it to the breadcrumb and includes your placement note in the incident, pinpointing which machine was compromised.

API

How do I authenticate with the API?Enterprise

Create a personal access token (PAT) from Settings → Personal Access Tokens (Administrators and Members only). Pass it as Authorization: <your-pat> or Authorization: Bearer <your-pat> on every request. Tokens inherit your role permissions and are shown once at creation.

How do I query incidents or integrate with a SOAR?Enterprise

Use the REST API at https://<code>.trapster.cloud/api/v1/. The live reference at /api/docs in your dashboard lists all endpoints, parameters, and response schemas. Common use cases: poll incidents, automate honeytoken management, and feed a SOAR playbook. Requests are rate-limited per token.

Contributing

How do I contribute to Trapster Community?Community

Fork the repo, create a feature branch, and open a pull request. When you open your first PR to any Ballpoint project, a bot will comment asking you to sign the CLA : follow the steps it provides. You only need to sign once; future contributions to any Ballpoint project will not require signing again.

Where do I report a bug?Community

Open an issue on GitHub with a description of the problem and reproduction steps. Use the bug report template for faster triage.

Where do I ask questions or get help?Community

Post in GitHub Discussions for longer questions, or join the Discord for real-time chat with the community and the Ballpoint team. For Enterprise support, contact support@trapster.cloud.

Troubleshooting

The Enterprise Trapster is not appearing in the dashboard.

Verify the Trapster has a routable IP and outbound HTTPS to domain_id.trapster.cloud (curl -I https://trapster.cloud from the console). Registration takes 2–3 minutes after boot. Open Trapsters and click Accept on the pending device. If you configured a static IP, click Enable static IP before rebooting.

The honeypot is not receiving connections.

Verify the service is listening (ss -tlnp | grep <port> on Community; check the Services tab on Enterprise). Confirm no host firewall blocks inbound traffic to the Trapster. On Community, check that interface is set correctly if not using 0.0.0.0.

I am not receiving alerts.

Community: validate trapster.conf JSON, confirm the process is running, and test your API endpoint with curl.
Enterprise: check incidents appear on the Incidents page first. If they do, the issue is outbound delivery. Verify the integration is enabled under Settings → Integrations and the destination is reachable.

The VM cannot reach the dashboard.

Outbound port 443/TCP to domain_id.trapster.cloud must be allowed through your firewall. From the Trapster console, verify DNS (nslookup trapster.cloud) and routing (default gateway configured). If your network requires a proxy, contact support.