Glutton is a modular, high-performance network honeypot designed to provide comprehensive visibility into malicious traffic across diverse infrastructure environments. In the contemporary threat landscape, security teams frequently encounter a visibility gap where traditional Intrusion Detection Systems (IDS) achieve high false-positive rates but fail to capture the full payload of novel exploits. The Glutton Network Honeypot addresses this by acting as a versatile proxy capable of handling any protocol. It is particularly effective in environments such as critical energy infrastructure, water treatment facilities, and complex cloud ecosystems where specialized industrial control systems or proprietary protocols are targeted. By intercepting connections at the transport layer, Glutton allows architects to record, analyze, and neutralize threats before they penetrate deeper into the internal network. This solution mitigates high latency issues associated with high-interaction honeypots while maintaining superior throughput and data fidelity. It transforms the infrastructure from a passive target into an active sensor capable of detecting lateral movement and zero-day propagation.
Technical Specifications
| Requirement | Default Port/Range | Protocol/Standard | Impact Level (1-10) | Recommended Resources |
| :— | :— | :— | :— | :— |
| OS Kernel | Linux 4.x+ | POSIX / IEEE | 9 | Kernel 5.15 LTS |
| Development Tooling | N/A | Go 1.18+ | 7 | 4 vCPU / 8GB RAM |
| Packet Capture | All User-Defined | libpcap | 8 | NIC with RX Offloading |
| Interface | ETH0 / ETH1 | Ethernet / IP | 6 | Minimum 1Gbps NIC |
| Database Engine | 5432 (Internal) | PostgreSQL / JSON | 5 | NVMe Storage Hook |
The Configuration Protocol
Environment Prerequisites:
Successful deployment requires a Linux environment with a kernel supporting advanced packet filtering. Necessary software dependencies include the golang compiler, the libpcap-dev header files for raw packet manipulation, and the git version control system. The technician must possess sudo or root level permissions to modify network interfaces and manage system-level background processes. Additionally, firewall management tools such as iptables or nftables must be present to redirect incoming traffic into the Glutton listener.
Section A: Implementation Logic:
The engineering philosophy behind Glutton centers on the concept of interception-based proxying. Unlike basic honeypots that only listen on specific ports, Glutton utilizes the netfilter framework to capture incoming packets at the kernel level. This design is idempotent; repeated incoming connection attempts result in the same predictable capture state without polluting the host OS. When a packet enters the host, the kernel identifies the target port through iptables rules and diverts the flow to the Glutton binary. Glutton then utilizes its internal handler logic to determine if the connection matches a known protocol profile, such as SSH, HTTP, or SMB. If no specific handler exists, the system defaults to a generic TCP/UDP logger to preserve the payload for manual forensic audit. This minimizes overhead and prevents the honeypot from becoming a bottleneck during high-volume scanning events.
Step-By-Step Execution
1. Install System Dependencies
Execute the command sudo apt-get update && sudo apt-get install -y build-essential libpcap-dev golang git iptables.
System Note: This command ensures the underlying kernel headers and development libraries are synchronized with the compiler. Failure to install libpcap-dev will result in a linker error during the Go build process, as the pcap.h files are required for low-level packet interpretation.
2. Configure Go Workspace Environment
Run export GOPATH=$HOME/go followed by export PATH=$PATH:$GOPATH/bin.
System Note: This updates the shell environment variables, allowing the go binary to locate successfully compiled modules. It ensures that the Glutton source code and its third-party dependencies are housed in a partitioned directory, preventing library entanglement with system-level binaries.
3. Clone and Build Glutton Source
Enter git clone https://github.com/mushorg/glutton.git then navigate to the directory and run make build.
System Note: The make utility invokes the Go compiler to transform the source code into an executable binary. During this phase, the compiler performs static analysis to ensure memory safety and concurrency handling. The resulting artifact is a standalone binary that interfaces directly with the system’s network stack.
4. Direct Traffic Using Netfilter
Execute sudo iptables -t nat -A PREROUTING -p tcp –dport 1:65535 -j REDIRECT –to-ports 5000.
System Note: This command modifies the kernel’s Network Address Translation (NAT) table. It instructs the netfilter module to intercept all incoming TCP traffic on any port and redirect it to the Glutton local listener at port 5000. This makes the honeypot appear to host every possible service on the machine, increasing the probability of interaction.
5. Finalize Configuration and Execute
Modify /etc/glutton/config.json to define the logging level and then run sudo ./glutton -interface eth0 -config config.json.
System Note: The application starts by initializing its internal handlers and binding to the specified network interface. Using systemctl to wrap this execution into a persistent service is recommended. This ensures that the process survives a system reboot and maintains high availability for continuous data collection.
Section B: Dependency Fault-Lines:
Software implementation rarely proceeds without friction. A common installation failure occurs when the version of libpcap on the host is outdated, leading to undefined reference errors during compilation. Always verify versioning with ldconfig -p | grep libpcap. Another mechanical bottleneck involves port conflicts. If another service, such as sshd or nginx, is bound to a specific port, the iptables redirection may fail or result in inconsistent packet-loss. To resolve this, ensure all native services are moved to high-range management ports or disabled entirely before the honeypot enters its operational phase.
THE TROUBLESHOOTING MATRIX
Section C: Logs & Debugging:
The primary source of truth for Glutton resides in its log output, typically found in a designated glutton.log file or accessible via journalctl -u glutton.
1. Connection Refused Errors: This string often indicates that the Glutton binary is not listening on the port designated in the iptables rule. Use netstat -tulnp | grep glutton to verify the listener status.
2. Permission Denied (Socket): This fault code occurs when the binary is executed without high-level privileges. Glutton requires raw socket access to bridge the gap between user-space and kernel-space; execute the binary with sudo or use setcap to grant CAP_NET_RAW capabilities.
3. High Latency in Payload Logging: If the logs show significant delays between packet arrival and metadata storage, inspect the disk I/O wait times. A slow storage back-end can cause the internal buffer to overflow, leading to signal-attenuation in the data stream.
4. Library Mismatch: If the system returns an error regarding GLIBC versions, the binary must be recompiled on the target host to ensure compatibility with the existing system libraries.
OPTIMIZATION & HARDENING
Performance Tuning:
To handle high concurrency and massive throughput, the architect should tune the Go runtime environment. Setting the GOGC variable to a higher value can reduce the frequency of garbage collection cycles, thereby improving response times during intense scanning bursts. Additionally, adjusting the system ulimit -n to a value like 65535 is essential; this allows the Linux kernel to handle a vast number of simultaneous open file descriptors, which equate to active network connections.
Security Hardening:
While a honeypot is designed to be attacked, the host operating system must remain resilient. Use cgroups to limit the CPU and memory consumption of the Glutton process to prevent a Denial of Service (DoS) attack from crashing the entire sensor node. Implement firejail or similar sandboxing technologies to encapsulate the Glutton process. This ensures that even if a specialized payload exploits a vulnerability in a Glutton handler, the attacker cannot escape the jail to gain persistent access to the underlying hardware or management network.
Scaling Logic:
In enterprise-scale deployments, maintaining a single honeypot is insufficient. Architects should employ a centralized logging strategy using a centralized ELK (Elasticsearch, Logstash, Kibana) or Splunk cluster. By configuring Glutton to export logs in JSON format via a secure TLS connection, security teams can aggregate data from hundreds of sensors globally. This setup allows for the correlation of attack patterns across different geographical zones, identifying large-scale coordinated campaigns versus isolated automated bot activity.
THE ADMIN DESK
How do I verify that traffic is actually reaching Glutton?
Use the command tcpdump -i eth0 port 5000 while simulating a connection from an external machine. If you see packets arriving at the interface but the logs remain empty, verify your iptables nat rules and check the PREROUTING chain.
Can Glutton handle encrypted protocols like SSL/TLS?
Yes; Glutton includes handlers that can terminate TLS connections if the appropriate certificates are provided in the config.json. This allows you to inspect the decrypted payload for malicious commands that would otherwise be hidden from network-based scanners.
What happens to the system if Glutton crashes?
If the process fails, the iptables rules will still be active, but there will be no application to receive the redirected traffic. This will result in an “icmp-port-unreachable” response to the attacker. Use a systemd restart policy to ensure auto-recovery.
How can I minimize the thermal-inertia of the hardware during high loads?
Ensure the server has adequate active cooling and monitor the CPU temperature using sensors. High network processing loads can significantly increase package heat. If temperatures exceed 75 degrees Celsius, consider offloading logging writes to a dedicated remote database.
Is it possible to exclude my management IP from being trapped?
Absolutely. Before the broad REDIRECT rule in iptables, insert an exception: iptables -t nat -I PREROUTING -s [YOUR_IP] -j ACCEPT. This ensures your administrative sessions bypass the honeypot logic entirely, preventing an accidental lockout from the management console.
