Add my own honeypot to TPot

[maurodelossantos]

Hello! I'd like to add my own honeypot to TPot to expose some vulnerable services that will require some extra manual exploitation (BOFs, customized vulnerabilities, etc.) to later compare the results between automated honeypots and customized ones. This question is to ask/confirm the steps to follow to add my honeypot[s] to TPot and be able to visualize in the WebGUI its results:

1. Add a folder called myHoneypot/ under the docker/ with a dist/ subfolder for configuration files if needed, a Dockerfile, and a docker-compose.yml to spin up the container with the vulnerable[s] service[s].
2. Adjust the tpot.yml and the main docker-compose.yml (?) I understand now this isn't needed as the file is going to be updated dynamically with the content of Dockerfile and docker-compose.yml under the myHoneypot/ folder. Still want to corroborate this.
3. Edit the docker/elk/logstash/dist/logstash.conf file to add the logs of our honeypot. I copied the changes made for Log4Pot in this commit. Is this correct?
4. Modify the Kibana objects. Completely lost about this step. I've seen this commit modifying them for adding Log4Pot but as they are binary files I can't really see what to change.
5. Based on some commits (especially the ones to add Log4Pot -- fb93d851190109aadddda2c834c81107e2559583), I've tried to debug which extra files I should edit. Are any of those worthy/required to modify?: /etc/compose/log4j.yml / etc/compose/standard.yml / logrotate/logrotate.conf / anything else?
6. Stop and start the TPot service. (?) Maybe to apply the changes a restart isn't enough and I need to manually apply and run the container for the honeypot.

Am I missing anything? With just those steps, will I be able to successfully deploy and see the information about my Honeypot in the WebGUI (mainly in the attack map and Elasticsearch)?

Any help is very welcome! Thanks!

[witchermixer]

Have you been able to resolve your issue? I'm facing similar situation, but I want to add new service to already working instance of T-POT. Unfortunately addind logs to /data folder and editing logstash.conf does not help.

If anyone have any tips I would be grateful.

Cheers.

[SimonKling]

So was a way found ?