Xenonas/Raven

# ICS Honeypot Monitoring Dashboard A full-stack lab dashboard for monitoring an ICS honeypot, parsing Conpot activity, importing Suricata EVE alerts, managing local IDS rules, and triaging alerts from a browser UI. The project is intentionally built as an operator-style tool rather than a static report: it can poll Docker logs, generate controlled lab traffic, reload the Suricata sensor, add/remove local rules, and investigate alerts with raw EVE context. ## Demo  ## What It Does - Parses Conpot and synthetic honeypot logs into structured events. - Recognizes common OT protocols including HTTP, Modbus, S7comm, DNP3, ICCP/TASE.2, and SNMP. - Maps events to services, severity, risk score, and MITRE ATT&CK for ICS-style categories. - Imports Suricata `eve.json` alerts into Django models with stable de-duplication. - Provides alert triage: status, notes, related alerts, raw EVE JSON, and HTTP flow details. - Lets admins add/remove local Suricata rules from the UI. - Controls the Suricata Docker sensor: status check, restart, rule reload, and test alert generation. - Includes a lab-safe attacker simulator for HTTP, Modbus, DNP3, and ICCP-style localhost probes. ## Architecture React + Vite UI | v Django API + SQLite | +--> OT protocol-aware log parser +--> Suricata EVE parser +--> Docker / sensor controls | v Dockerized Conpot + Dockerized Suricata The backend is Django because the project benefits from a real ORM, admin-friendly authentication, migrations, and explicit API endpoints. The frontend is React/Vite because the dashboard has multiple interactive states: filters, pagination, collapsible panels, alert triage, and a side investigation drawer. ## Main Features - Monitor dashboard with service, severity, source IP, MITRE, and time-window filters. - OT protocol compatibility for Modbus, S7comm, DNP3, ICCP/TASE.2, SNMP, and HTTP evidence. - Collapsible dashboard sections for a cleaner operational screen. - Suricata alert table with pagination and time filters. - Alert investigation drawer with triage notes, related alerts, HTTP fields, and raw EVE. - Local Suricata rule builder and remover. - Sensor controls for Dockerized Suricata. - CTI enrichment hooks for public source IPs through VirusTotal and AbuseIPDB clients. ## Protocol Scope Conpot provides the live honeypot surface for the lab. The dashboard adds protocol-aware parsing, filtering, synthetic event generation, simulator probes, and Suricata target labeling for DNP3 and ICCP/TASE.2. Full DNP3 or ICCP server emulation would require adding dedicated honeypot services, but the data model and UI are ready to classify and triage those protocols. ## Run Locally Install Python and frontend dependencies: python3 -m venv venv venv/bin/pip install -r requirements.txt cd frontend npm install Create a local `.env` file. Do not commit real API keys. VITE_API_BASE_URL="http://127.0.0.1:8001" SURICATA_EVE_PATH="/absolute/path/to/ICS Honeypot/suricata/logs/eve.json" SURICATA_INTERFACE="docker0" VT_API_KEY="" ABUSE_API_KEY="" Start the backend: cd backend ../venv/bin/python manage.py migrate ../venv/bin/python manage.py runserver 127.0.0.1:8001 Start the frontend: cd frontend npm run dev Start Suricata: docker compose -f docker-compose.suricata.yml up --build -d suricata Optional: run Conpot through the compose profile if you do not already have a Conpot container publishing the lab ports. docker compose --profile conpot -f docker-compose.suricata.yml up --build -d ## Notes - This is a local lab tool. The attacker simulator intentionally restricts targets to localhost/private lab use. - The included Suricata rules use a local SID range to avoid collisions. - The project uses SQLite for development simplicity; the model boundaries are explicit enough to move to PostgreSQL if needed. - See `backend/README.md`, `frontend/README.md`, and `suricata/README.md` for component-specific details.