The LogSentinel Collector supports а honeypot functionality that allows it to collect threat information by acting as a fake exposed service.
The LogSentinel Honeypot supports the following services on their default ports:
- FTP (21)
- SSH (22)
- Telnet (23)
- SMTP (25, 465, 587)
- HTTP(S) (80, 443)
- POP3 (110)
- SMB (139, 445)
- IMAP (143)
- RDP (3389)
Network configuration requirements¶
In order for the honeypot to work, it has to be exposed to the internet and all firewall restrictions for the selected ports should be lifted.
Once a potentially malicious actor accesses the open ports, their IP is sent to LogSentinel SIEM to include in the threat database, with the assumption that anyone trying to find open ports of popular services by scanning random IPs is doing that with malicious intent.