A sophisticated Rust-based honeypot designed to detect and troll security scanners using multi-layered behavioral analysis and a massive arsenal of resource-intensive payloads.
- Threat Intelligence: Identify scanning patterns and attacker methodologies
- Early Warning System: Detect reconnaissance activities before actual attacks
- Security Awareness: Train teams on scanner behavior and detection techniques
- Incident Response: Analyze attacker tools and techniques in controlled environment
- Scanner Analysis: Study behavior of security tools (Burp, sqlmap, Nikto, etc.)
- Evasion Research: Test advanced detection bypass techniques
- Performance Benchmarking: Validate detection algorithms under realistic load
- Behavioral Modeling: Research automated vs. human request patterns
- Cybersecurity Courses: Hands-on experience with honeypot technology
- Tool Demonstration: Show students how scanners work and how they're detected
- Research Projects: Platform for academic security research
- CTF Competitions: Challenging target for capture-the-flag events
- Realistic Targets: Provide challenging honeypot environments
- Evasion Testing: Validate advanced detection bypass techniques
- Tool Validation: Test scanner effectiveness against behavioral analysis
- Training Scenarios: Practice detection and response procedures
- Layer 1: Traditional Detection - User-Agent, headers, injection patterns
- Layer 2: Behavioral Analysis - Request timing, cadence patterns, burst detection
- Layer 3: Honeypot Traps - Hidden links, robots.txt violations, sitemap crawling
- Layer 4: Path Enumeration - Systematic scanning detection, directory traversal patterns
- π Request Cadence Tracking: Detects machine-like timing patterns (sub-500ms consistency)
- π£ Honeypot Integration: Invisible CSS traps, forbidden path monitoring
- π Path Analysis: Systematic enumeration scoring (40+ threshold detection)
- β‘ Real-time Behavioral Scoring: Sub-millisecond analysis with memory management
- πͺ Scanner-Specific Targeting: Tailored payloads based on detected tool type
Scamazon features a 27MB SQLite database with 150+ sophisticated payloads designed to exhaust scanner resources:
- JSON Bombs: Deeply nested structures (up to 50,000 levels)
- HTML Forests: Massive DOM trees with complex nesting
- SVG Hairballs: Vector graphics with thousands of elements
- CSS Loops: Stylesheets with recursive selectors
- XML Bombs: Exponential entity expansion attacks
- JS Chaos: Resource-intensive JavaScript execution
- Multipart Matryoshka: Nested form data structures
- Encoding Chains: Multi-layer encoding obfuscation
- JSON Nest Bomb: Deeply nested JSON structures
- Multipart Matryoshka: Nested multipart boundaries
- Encoding Wonderland: Multiple encoding layers (gzipβbase64βhex)
- SVG Hairball: SVG with thousands of path segments
- HTML DOM Forest: HTML with massive DOM trees
- Zip-in-Comment: Base64 zip files in HTML comments
- CSS Loop: CSS with thousands of rules
- Big Font Blob: Large fake font files
# Generate the golden payload set (~150 payloads)
cargo run --bin seed_golden_set
# Build and run the honeypot server
cargo run- Default Port:
127.0.0.1:9999(configurable) - Auto-Configuration:
Scamazon.tomlcreated on first run - Database:
payloads.db(27MB+) auto-seeded if empty
/robots.txt: Honeypot-embedded robots file/sitemap.xml: Trap-laden sitemap/.well-known/security.txt: Security disclosure with hidden traps
# Normal browsing (gets HTML with hidden honeypot traps)
curl http://localhost:9999/
# Robots.txt request (gets trap-embedded robots file)
curl http://localhost:9999/robots.txt
# Sitemap request (gets XML with honeypot URLs)
curl http://localhost:9999/sitemap.xml# Traditional scanner detection
curl -H "User-Agent: sqlmap/1.6.12" http://localhost:9999/
curl -H "User-Agent: Burp Suite Professional" http://localhost:9999/
curl -H "User-Agent: Nikto/2.1.6" http://localhost:9999/
# Injection pattern detection
curl "http://localhost:9999/?id=1' OR 1=1--"
curl "http://localhost:9999/?search=<script>alert(1)</script>"
curl "http://localhost:9999/?path=../../../etc/passwd"
# Honeypot trap triggers (instant detection)
curl http://localhost:9999/admin/secret
curl http://localhost:9999/backup/database.sql
curl http://localhost:9999/.env# Perfect browser spoofing (caught by behavioral analysis)
for i in {1..10}; do
curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
"http://localhost:9999/test$i" &
sleep 0.1 # Machine-like timing
done
# Path enumeration simulation (caught by systematic detection)
for path in admin wp-admin phpmyadmin config backup; do
curl "http://localhost:9999/$path"
done# Run comprehensive test suite
cargo test tests_behavioral -- --nocapture
# Performance benchmarks
cargo test test_behavioral_analysis_performance -- --nocapture# Run all k6 tests (requires k6 installed and server running)
cd k6-tests && ./run-all-tests.sh
# Individual test scenarios
k6 run scamazon-detection-tests.js # Multi-layer detection
k6 run performance-stress-test.js # Performance under load- π§βπ» Legitimate Users: Normal browsing with human-like timing patterns
- π€ Scanner Detection: Traditional tools (sqlmap, Burp, Nikto, w3af)
- π Advanced Evasion: Perfect UA spoofing with machine-like behavior
- π Behavioral Analysis: Path enumeration and timing pattern detection
- π― Honeypot Traps: Hidden links and trap path validation
- β‘ Performance Testing: Up to 200 concurrent users, latency validation
π― Detection Accuracy: 80%+ scanner detection rate
β‘ Performance: <100ms average detection time
π Throughput: 100+ requests/second capability
β
Reliability: <1% error rate under load
[server]
host = "127.0.0.1"
port = 9999
request_timeout_secs = 30
[detection]
fuzzy_threshold = 0.8
user_agents = ["sqlmap", "burp", "nikto", "w3af", "nuclei"]
headers = ["x-scanner", "x-forwarded-for"]
params = ["' OR ", "UNION SELECT", "<script>", "${jndi:"]
[payloads]
max_size_mb = 50
stream_chunk_size = 8192
compression_enabled = true- Auto-seeding: Empty database triggers large golden set generation
- Compression: LZ4 compression for payload storage efficiency
- Analytics: Request tracking and payload effectiveness metrics
- Memory Management: Automatic cleanup of old behavioral data
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Axum Server βββββΆβ Detection Engine βββββΆβ Payload Arsenal β
β (Port 9999) β β (Multi-Layer) β β (400+ Items) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Behavioral β β Honeypot Traps β β SQLite Database β
β Tracker β β (Hidden Links) β β (27MB+ Payloads)β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
- Request Analysis: Extract IP, UA, headers, path, timing
- Honeypot Check: Instant detection for trap paths
- Behavioral Tracking: Update timing and path patterns
- Multi-Layer Classification: Traditional + behavioral analysis
- Response Generation: Legitimate page or targeted payload
- Detection Latency: Sub-millisecond (75Β΅s average)
- Memory Usage: Efficient with automatic cleanup
- Throughput: 1000+ requests/second analysis capability
- Storage: Compressed payloads with smart caching
- Synthetic & Inert: No real exploits or vulnerabilities
- Same-Origin: No external requests or data exfiltration
- Resource-Conscious: Streaming with configurable limits
- Safe for Legitimate Users: Hidden traps invisible to normal browsing
- No Personal Data: Only behavioral patterns tracked
- Legitimate User Protection: Invisible honeypot integration
- Configurable Limits: Prevent resource exhaustion
- Audit Trail: Comprehensive logging for analysis
- 12 Behavioral Tests: All detection layers validated
- Evasion Resistance: Multi-layer defense proven effective
- Performance Benchmarks: Sub-second analysis at scale
- Integration Tests: End-to-end system validation
- Machine Timing: 200ms consistency patterns caught
- Path Enumeration: Systematic scanning scored (40+ threshold)
- Honeypot Traps: Instant detection on hidden link access
- Perfect Evasion: Requires sophisticated human-like behavior
- β 12/12 Behavioral Tests Passed: All detection layers validated
- β Multi-Layer Defense Proven: Even sophisticated evasion caught
- β Sub-Millisecond Analysis: ~82Β΅s average detection time (measured)
- β Scalable Performance: 1000+ requests/second tracking capability
Traditional Scanners (sqlmap, Burp, Nikto): Detected via UA patterns
Advanced Evasion (UA spoofing): Caught by behavioral timing analysis
Perfect Browser Simulation: Caught by timing/path pattern analysis
Sophisticated Multi-Vector: Caught by honeypot trap detection
- Rust: 1.70+ (stable toolchain)
- Memory: 256MB+ (with 27MB database)
- Storage: 100MB+ (including payloads and logs)
- Network: HTTP/HTTPS capable
# 1. Clone and build
git clone <repository>
cd scamazon
# 2. Generate payload database
cargo run --bin seed_golden_set
# 3. Configure for production
cp Scamazon.toml.example Scamazon.toml
# Edit configuration as needed
# 4. Run with production settings
RUST_LOG=info cargo run --release- Structured Logs: JSON format with tracing integration
- Behavioral Metrics: Request patterns and detection statistics
- Payload Analytics: Effectiveness tracking per scanner type
- Performance Monitoring: Response times and resource usage
src/
βββ main.rs # Server entry point & request handling
βββ detect.rs # Multi-layer detection engine
βββ behavioral.rs # Request cadence & path analysis
βββ honeypots.rs # Hidden traps & response generation
βββ payloads.rs # Payload selection & streaming
βββ payload_db.rs # SQLite database management
βββ payload_seeder.rs # Golden set generation (~150 payloads)
βββ state.rs # Application state management
βββ config.rs # TOML configuration handling
βββ tests.rs # Core functionality tests
βββ tests_behavioral.rs # Advanced detection validation
- axum + tokio: Modern async web framework
- sqlx: Type-safe SQLite database operations
- tower-http: HTTP middleware and utilities
- tracing: Structured logging and observability
- regex + aho-corasick: Fast pattern matching
- lz4: Payload compression
- rand: Secure random generation
- Fork the repository
- Create feature branch (
git checkout -b feature/amazing-detection) - Add tests for new detection methods
- Run test suite (
cargo test) - Submit pull request with detailed description
This project is licensed under the MIT License - see the LICENSE file for details.
A sophisticated, multi-layered honeypot that turns the tables on security scanners with behavioral analysis, honeypot traps, and a massive arsenal of resource-intensive payloads.
Built with Rust π¦ | Powered by Behavioral Analysis π§ | Proven by Rigorous Testing π¬