docs/scoring.md
Scoring and Blocking Rules
The honeypot system employs a dynamic scoring mechanism to identify, tag, and automatically block malicious actors. This document outlines the scoring rules for individual IP addresses and coordinated botnet activity.
Overview
Scores are calculated based on events recorded within a sliding window (default: 3 hours). When an IP address or a subnet exceeds the scoring threshold, it is automatically added to the system's blocklist.
- Blocking Threshold: 300 points
- Evaluation Interval: Last 3 hours
- Default Action: Automatic inclusion in the dynamic blocklist (exported for OPNsense/firewall ingestion).
Global Scoring Rules
These rules apply across all honeypot types:
| Event Type | Points | Tag | Description |
|---|---|---|---|
| Authentication Attempt | 100 per attempt | auth_attempt |
Triggered by login attempts on SSH, Telnet, RDP, FTP, SMTP, etc. |
Block Duration
The duration of a block is progressive: Block Duration = 1 hour × N (Where N is the number of times the address has been previously blocked)
Honeypot-Specific Rules
1. Packet Logger (Network Traffic Analysis)
The packet logger analyzes raw network traffic (SYN packets, UDP, ICMP) to detect scanning and high-volume attacks.
| Activity | Condition | Score | Tag |
|---|---|---|---|
| Port Scanning | > 10 packets (TCP/UDP) on > 5 unique ports in 12 hours | 50 × [Unique Port Count] | port_scan |
| Ping Scanning | > 8 ICMP packets within 60 seconds | 50 × [Packets in Window] | ping_scan |
| High Traffic | > 200 events in interval | 1 × [Packet Count] | high_traffic |
2. Botnet Detection (Subnet Scoring)
The system automatically identifies coordinated attacks from the same network neighborhood. It evaluates subnets at various levels (/18, /20, /22, /24).
- Trigger Condition:
- Subnet contains ≥ 5 distinct IP addresses.
- Product of
[Total Packets] × [Total Ports]across the subnet is > 50.
- Score:
[Packet Count] × [Port Count] - Specificity: Only the most specific (smallest) subnet that meets the criteria is scored to avoid double-counting.
- Tag:
botnet
3. HTTP Honeypot
| Activity | Condition | Score | Tag |
|---|---|---|---|
| Credential Probing | Authorization header present (Bearer/Basic) |
100 per request | auth_attempt |
| Exploitation Attempt | Body/Form data contains wget or curl |
200 per request | malware |
(Note: Exploitation attempts result in an immediate block due to the 300-point threshold.)
4. SIP (VoIP) Honeypot
| Activity | Condition | Score | Tag |
|---|---|---|---|
| SIP Interaction | Any valid SIP request (INVITE, REGISTER, etc.) | 100 per request | auth_attempt |
5. SMTP (Email) Honeypot
| Activity | Condition | Score | Tag |
|---|---|---|---|
| Relay/Spam Attempt | Request with a non-null "RCPT TO" field | 100 per recipient | auth_attempt |
6. RDP Honeypot
| Activity | Condition | Score | Tag |
|---|---|---|---|
| RDP Interaction | Any valid RDP request (INVITE, REGISTER, etc.) | 100 per request | auth_attempt |
Behavioral Tags
Actors are assigned one or more tags based on their behavior:
auth_attempt: Brute-force or credential probing.port_scan: Broad vertical or horizontal scanning.ping_scan: Host discovery via ICMP.high_traffic: Denial of service or heavy automated probing.botnet: Coordinated attack from a shared network infrastructure.malware: Attempts to deliver or execute malicious payloads.info_stealing: Probing for sensitive configuration files or credentials.