Threat Intelligence Feed

← Back to Project Status

What It Does

Each sensor combines four layers of detection, designed so that any one layer failing doesn’t leave us blind:

1. eBPF kernel capture. A BPF program attached to the network interface classifies every TCP / UDP segment in kernel space. Phase 0.5 (2026-05-22) added per-port payload dissection — up to 4 096 bytes of application-layer payload copied into the event record on 11 monitored ports (FTP, SMTP/submission, the four PAN-OS captive-portal ports, Redis, Tomcat alt-HTTP, NGINX Rift on 8443).
2. Protocol honeypots. 43+ modular services emulate everything from SSH and HTTP to Modbus, S7comm, OPC UA, FortiGate SSL-VPN, Palo Alto PAN-OS management (WebUI + GlobalProtect + XML API + SSH CLI + captive portal), Kubernetes API with honeytokens, an OWASP LLM Top 10 chat honeypot, and a CVE-2026-42945-vulnerable nginx. Each one is a separate systemd service running as the sensor user, with memory + CPU caps.
3. Suricata IDS pre-filter. 49 000+ Emerging Threats Open rules plus a local HoneyLens range (9026300-9026429) for CVE-specific structural signatures we’ve written for our own hunts (PAN-OS CVE-2026-0300 today; NGINX Rift CVE-2026-42945 added 2026-05-24). Known classifications bypass the AI pipeline — 90-95% cost savings on triage.
4. Dual AI analysis pipeline. Local Ollama (deepseek-r1 / qwen2.5 on an RTX 3060 GPU box) for triage; cloud Claude (Sonnet + Opus) or OpenAI (gpt-4.1-mini + gpt-5-mini) for deep analysis. Per-model cost tracking, daily / monthly spending caps, automatic deobfuscation + IOC extraction + novelty scoring. Hunting IPs override the Suricata skip so we keep getting fresh narrative on actors we care about.

Where It’s Deployed

Three sensors run in production. The fleet is intentionally small — this is a research project, not SaaS — but each one is on a different network topology, so attacker traffic patterns differ meaningfully:

Sensor	Network	Role
sensor1	Lab LAN, behind NAT + firewall	Development — new honeypots and Suricata rules land here first
sensor2	Hosted VPS, public IPv4 directly exposed	Production canary — takes the full public-internet scanner load; most novel actor traffic
sensor3	Corporate-style network, DNAT'd from a public IP	Production — mostly targeted-scanner traffic, plus ICS/OT VLAN visibility

Hostnames, IPs, and ASNs are deliberately anonymised in the blog; the underlying data lives in the operator-side attacker_profiles, sensor_events, and attack_patterns tables on each sensor.

Recent Milestones

• 2026-05-24 — NGINX Rift honeypot (CVE-2026-42945). TLS/8443 honeypot adopted from an upstream stdlib-only package, deployed across all three sensors the same day the CVE landed. Four Suricata signatures, three independent payload-capture layers, per-sensor unique self-signed certs to keep JA4 fingerprints attributable. See the public writeup.
• 2026-05-22 — Phase 0.5 BPF payload dissection lift. Per-port BPF capture buffer raised from 1 KB to 4 KB across the 11 monitored ports, after the CVE-2026-0300 T+9 incident exposed the old cap as the gap that lost real exploit bodies. Four new Suricata SIDs (9026311-9026314) and four new HTTP/JSON classifier rules deployed fleet-wide the same day.
• 2026-05-21 / T+9 reopen of the CVE-2026-0300 hunt. 96 hours after declaring the hunt closed, a Linode-Frankfurt actor fired six HONEYLENS SIDs on sensor2 with a 2 120-byte exploit-shape POST. Hunt reopened; daily cadence resumed. See the public writeup for the full timeline.
• 2026-04-29 — open-core split. Codebase published as AGPL-3.0 OSS at gitea; JA4+ variants S/H/X/SSH/T factored out into a private enterprise plugin. Single open-core repo, plugin loaded at runtime via the honeylens_plugin_api contract.
• 2026-04-15 — ICS/OT honeypot pack. Six new modular honeypots (DNP3, IEC 60870-5-104, BACnet/IP, EtherNet/IP, OPC UA, FINS/Omron) plus 16 binary protocol detectors and ~750 ICS-specific classifier rules. Cross-mapped to MITRE ATT&CK for ICS.
• 2026-04-06 — Palo Alto PAN-OS honeypot. Per-instance identity generator (unique serial, model, hostname, MAC, three TLS certs), management WebUI + GlobalProtect + XML API + SSH CLI + captive portal, six CVE detections including CVE-2024-0012, CVE-2024-9474, CVE-2024-3400, CVE-2025-0108, and the byte-perfect qassam-315 PoC for CVE-2026-0300. See the PAN-OS writeup.

What’s Next

The 47 ideas backlog drives the roadmap. The current top-of-queue items, in priority order:

• Continuing the daily CVE-2026-0300 and CVE-2026-42945 hunts until 14 consecutive zero-firing days close each thread (or a real firing reopens the clock). Rondo’s 14-day cadence predicts a 2026-05-31 ± 2 d return.
• Idea 13 — threat intelligence & malware capture pipeline. Extract dropper URLs / C2 IPs / domains from captured payloads, fetch malware samples safely, integrate VirusTotal / MalBazaar submission. Blocks the AI malware sandbox (Idea 20) and the ELF binary vulnerability analyzer (Idea 41).
• Idea 34 — Intelligence Operating Center. The cross-sensor management plane — sensor registration, central rule distribution, fleet-wide hunting list sync. Kubernetes / Rancher / Helm / Longhorn / NeuVector design landed; implementation pending.
• Idea 35 — privilege separation & system hardening. Four-tier privilege model (kernel / privileged-ports / unprivileged services / read-only tools), drop root after eBPF attach, seccomp + AppArmor profiles. High priority before any deployment outside the lab.
• Idea 26 — CISA KEV adaptive honeypot. Daily fetch of the CISA Known-Exploited-Vulnerabilities catalog, automatic generator that produces CVE-specific honeypot templates and classifier rules.

The codebase is at 192.168.0.100:3000/HoneyLens/HoneyLens (Gitea, lab-internal) and mirrored to GitHub on release. The blog you’re reading is itself part of the sensor stack — publishing/blog_publisher.py runs on each sensor and pushes new threat-actor advisories here automatically.