Support for Llama3 / Ollama supported LLMs

[t3chn0m4g3]

Is your feature request related to a problem? Please describe.
Using OpenAI API can involve unforeseen costs.

Describe the solution you'd like
Adding support for Llama3 / Ollama supported LLMs could allow for streamlining invests and for larger installations.

[mariocandela]

Hi @t3chn0m4g3,

Nice to meet you!

Thanks for your contribution, I will take charge of this new feature in the following days :)

Cheers

Mario

[t3chn0m4g3]

@mariocandela Likewise, this is great news! Looking forward to it!

[mariocandela]

Hi @t3chn0m4g3,

Download the latest version and take a look here: https://github.com/mariocandela/beelzebub?tab=readme-ov-file#honeypot-llm-honeypots

Happy hacking ❤️

Cheers

Mario

[t3chn0m4g3]

@mariocandela Closing this is fine, thank you very much for taking this on with warp speed 🤩🚀

I can now start testing, if everything works out I will be happy to integrate this into T-Pot.

Thanks again ❤️

[t3chn0m4g3]

Getting started 👋

[mariocandela]

@t3chn0m4g3 if I can help you in any way, write to me I am happy to help you 😊

[t3chn0m4g3]

@mariocandela Thank you, highly appreciated 😍

[t3chn0m4g3]

Lab is set up, now getting to work :)

[t3chn0m4g3]

@mariocandela - In plugins/llm-integration.go I can see the ollamaEndpoint as a const ...

beelzebub/plugins/llm-integration.go

Lines 13 to 18 in 628e20e

	const (
	systemPromptVirtualizeLinuxTerminal = "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block. Do not provide explanations or type commands unless explicitly instructed by the user. Your entire response/output is going to consist of a simple text with \n for new line, and you will NOT wrap it within string md markers"
	systemPromptVirtualizeHTTPServer = "You will act as an unsecure HTTP Server with multiple vulnerability like aws and git credentials stored into root http directory. The user will send HTTP requests, and you are to reply with what the server should show. Do not provide explanations or type commands unless explicitly instructed by the user."
	LLMPluginName = "LLMHoneypot"
	openAIGPTEndpoint = "https://api.openai.com/v1/chat/completions"
	ollamaEndpoint = "http://localhost:11434/api/chat"

... is there any option in the config or the cli to overwrite the endpoint with a different host (assuming that ollama will probably not reside on the honeypot)?

[t3chn0m4g3]

@mariocandela Reading helps... sorry...

apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH Ollama Llama3"
commands:
  - regex: "^(.+)$"
    plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
   llmModel: "llama3"
   host: "http://example.com/api/chat" #default http://localhost:11434/api/chat

[mariocandela]

@t3chn0m4g3 Don't worry mate, you can find me here for anything 😄

ps: These days I'm working on the documentation ❤️

Thanks for your time!

[t3chn0m4g3]

Thank you @mariocandela! ❤️

[t3chn0m4g3]

@mariocandela It is working 🚀😁❤️

I have some issues (T-Pot => Elastic, Kibana objects) with the logging format. Currently tr.TraceEvent stores the events as nested JSON objects...

beelzebub/protocols/strategies/ssh.go

Lines 32 to 42 in 628e20e

	tr.TraceEvent(tracer.Event{
	Msg: "New SSH Session",
	Protocol: tracer.SSH.String(),
	RemoteAddr: sess.RemoteAddr().String(),
	Status: tracer.Start.String(),
	ID: uuidSession.String(),
	Environ: strings.Join(sess.Environ(), ","),
	User: sess.User(),
	Description: beelzebubServiceConfiguration.Description,
	Command: sess.RawCommand(),
	})

... and does not split RemoteAddr into ip and port.

I am unfamiliar with go, so I managed to get this to work as an example:

remoteAddr, remotePort, err := net.SplitHostPort(sess.RemoteAddr().String())
if err != nil {
        remoteAddr = "unknown"
        remotePort = "unknown"
}

log.WithFields(log.Fields{
	"info":         "New SSH Session",
	"protocol":    tracer.SSH.String(),
	"src_ip":  remoteAddr,
	"src_port":  remotePort,
	"status":      tracer.Start.String(),
	"id":          uuidSession.String(),
	"environ":     strings.Join(sess.Environ(), ","),
	"user":        sess.User(),
	"plugin": beelzebubServiceConfiguration.Description,
	"command":     sess.RawCommand(),
})

There is probably an easier / better way 😅, maybe you have an idea? Don't know if changes lead to any problems on your end. If not, let me know, happy to contribute.

[mariocandela]

Hi @t3chn0m4g3,

Sorry for the delay, I added the two useful information for kibana :)

https://github.com/mariocandela/beelzebub/releases/tag/v3.2.4

To speed up the process I applied the change, your solution is valid 😄

Thanks for your time ❤️

[t3chn0m4g3]

Awesome! Thank you! 🤩