Specialized honeypots match a single attacker tactic, turning ambiguous activity into precise telemetry whether they wait for attackers to arrive or actively visit suspicious sites. The T-Pot platform bundles Cowrie for SSH and Dionaea for Windows malware in a single deployable host, while Thug runs as a fake browser to explore malicious sites.

Specialized Honeypots for SSH, Web and Malware Attacks - illustration

A honeypot is a decoy IT component, such as a system, network, or application, deployed to be attacked. Because it has no legitimate purpose, every interaction with it is suspicious.

Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.

Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:

  • Cowrie is an SSH and Telnet honeypot. It logs brute force attempts and records replayable sessions of the attacker’s interactions with the emulated shell.
  • Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, FTP, and TFTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
  • Thug is a client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

In addition to these honeypot tools, you might also explore the classics like Honeyd and INetSim. A foundational book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.

The T-Pot Honeypot Platform bundles Cowrie, Dionaea, and many others with central monitoring if you’d like to deploy several honeypots together. You might also explore newer variations such as honeytokens planted in everyday files and decoy MCP servers for AI agents.

Related Articles

Cybersecurity Advice for Political CampaignsThe Language and Nature of Fileless Attacks Over Time

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.