Galah is an LLM-powered web honeypot designed to dynamically mimic various web applications and respond to arbitrary HTTP requests. It targets security researchers and developers interested in exploring advanced honeypot techniques, offering a flexible and cost-effective way to log and analyze web traffic by leveraging LLMs for response generation.

How It Works

Galah utilizes Large Language Models (LLMs) to generate realistic HTTP responses, including headers and body content, based on incoming requests. This dynamic approach contrasts with traditional honeypots that require manual emulation of specific applications. By analyzing the request's method, path, headers, and body, Galah crafts contextually relevant responses. It employs a port-specific caching mechanism to store generated responses, reducing redundant LLM API calls and associated costs. The effectiveness of the honeypot relies heavily on prompt engineering, ensuring the LLM adheres to generating responses in the required JSON format.

Quick Start & Requirements

• Installation: Clone the repository and build the Go binary (go build -o galah ./cmd/galah).
• Prerequisites: Go version 1.22+ is required. LLM API keys or authentication credentials (e.g., OpenAI, GoogleAI, GCP Vertex AI, Anthropic, Cohere, Ollama) are necessary. TLS certificates are needed for HTTPS.
• Running: export LLM_API_KEY=your-api-key && ./galah --provider PROVIDER --model MODEL
• Docker: docker build -t galah-image . && docker run -d --name galah-container -p 8080:8080 -v $(pwd)/logs:/galah/logs -e LLM_API_KEY galah-image -o logs/galah.json -p openai -m gpt-3.5-turbo-1106
• Documentation: Examples are available in the README.

Highlighted Details

• Supports major LLM providers: OpenAI, GoogleAI, GCP Vertex AI, Anthropic, Cohere, and Ollama.
• Dynamic response generation tailored to arbitrary HTTP requests.
• Configurable response caching to reduce API costs.
• Detailed JSON event logging captures request and response details.

Maintenance & Community

The project was developed as a weekend project and is not intended for production use. Community links or roadmap information are not provided in the README.

Licensing & Compatibility

The repository does not explicitly state a license in the README.

Limitations & Caveats

Galah is explicitly stated as not intended for production use. The honeypot may be identifiable through network fingerprinting, variable response times, and non-standard responses. Users are advised to set LLM API usage limits to prevent Denial of Wallet attacks.