Skip to content

v1.0.0 — First Production Release

Latest

Choose a tag to compare

@lopes lopes released this 24 Jun 16:45
v1.0.0
c9b150e

Lantana is a honeypot-as-code platform. Deploy IPv4/IPv6 dual-stack honeypots from an Ansible inventory, capture attacker behavior into a typed datalake, and ship intelligence as Discord briefs, STIX bundles, and a Streamlit dashboard. Aligned with MITRE Engage — honeypots are treated as disposable infrastructure that gets rotated and reshaped as narratives evolve.

This is the first production release, validated on a live operation over three weeks (June 2–19, 2026).

What's in v1.0.0

Infrastructure

  • Single-node and multi-node deployment from an inventory-per-operation model (clone op_single or op_multi, configure, deploy)
  • Zoned architecture: Honeywall (nftables + Suricata), Sensor, Collector
  • IPv4/IPv6 dual-stack throughout, enforced at the firewall layer
  • Rootless Podman containers via Quadlets + user-scoped systemd
  • Three post-deploy validation playbooks: validate-single-node, validate-sensor-runtime, validate-pipeline-cycle
  • Terraform provisioning module for Proxmox

Sensors

  • Cowrie (SSH + Telnet): credential harvesting, command capture, file download/upload, TTY session transcripts
  • Dionaea (FTP, HTTP, EPMAP, SMB, MSSQL, MySQL): binary artifact capture, credential logging, multi-protocol emulation
  • file_intent tagging (malware / persistence / probe) on captured file events

Data Pipeline (Python 3.13+)

  • Three-tier datalake: Bronze (raw NDJSON via Vector), Silver (OCSF-inspired Parquet, enriched, redacted), Gold (per-IP daily aggregates)
  • MaxMind GeoLite2 at wire speed (Vector); AbuseIPDB, VirusTotal, GreyNoise, Shodan via daily batch HTTP
  • SQLite enrichment cache with tiered TTLs: 7 days (benign) → 28–180 days (malicious, by IOC type)
  • Composite risk scoring: per-provider sub-scores → enrichment mean + behavioral score → final risk_score (0–100)
  • Dual rate-limit circuit breakers (consecutive + cumulative) to prevent runaway API quota consumption
  • WAN IP redaction and infrastructure IP filtering before any data leaves the pipeline (OPSEC layers 1–3)
  • STIX 2.1 bundle export

Intelligence Output

  • Daily Discord report: pipeline health, top attackers, credentials, malware captures, attacker persistence — posted as a Markdown file attachment
  • Streamlit dashboard with 7 tabs: Overview, Geography (world map colored by risk score), IP Reputation, Progression funnel, Findings (Suricata alerts), Credentials, STIX Export

Known Limitations

Six items were intentionally deferred; see the Roadmap for full context:

  • Dionaea binary download URLs not surfaced in bronze/silver (custom ihandler needed)
  • Dionaea binary hashes are MD5/SHA-512; VT hash enrichment queries files on disk
  • Dashboard has no date-range selector (fixed trailing-7-day window)
  • Multi-day slow-burn detection is a proxy (daily gold aggregation), not a stage-progression signal
  • SIP module disabled — upstream Dionaea sqlite race condition between supervisor and worker process
  • Honeypot images use rolling upstream tags (cowrie:latest, dionaea:nightly); self-built pinned images are on the roadmap

Getting Started

See the Setup Guide for a first-deploy walkthrough.