Turn attackers into intelligence sources with adaptive honeypot responses
📦 Quick Start • ✨ Features • 🔄 How It Works • 📚 Docs • 🔌 API
IFRIT is an intelligent reverse proxy that sits between the internet and your applications, analyzing every request in real-time. Legitimate traffic flows through seamlessly. Malicious traffic? It gets served AI-generated honeypot responses that waste attackers' time while you gather intelligence.
🎨 Click here to expand the interactive Diagram
graph TB
subgraph Internet
A[👤 Attacker]
L[✅ Legitimate User]
end
subgraph "IFRIT Proxy Layer"
B[🛡️ IFRIT Proxy]
subgraph "AI Detection Engine"
C1[🤖 Claude Sonnet 4]
C2[🤖 Gemini 2.0 Flash]
end
subgraph "Threat Intelligence"
D1[📊 AbuseIPDB]
D2[🦠 VirusTotal]
D3[🌍 IPInfo]
end
end
subgraph Backend
E[🎯 Your Application]
end
subgraph "Attacker Receives"
F[🍯 Fake Data<br/>Honeypot Response]
end
subgraph "User Receives"
G[📦 Real Data<br/>Protected]
end
A -->|Malicious Request| B
L -->|Normal Request| B
B --> C1
B --> C2
B --> D1
B --> D2
B --> D3
B -->|Attack Detected| F
B -->|Legitimate| E
E -->|Response| G
F -.->|Wasted Time| A
G -->|Secure Access| L
style A fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px,color:#fff
style L fill:#51cf66,stroke:#2f9e44,stroke-width:2px,color:#fff
style B fill:#4c6ef5,stroke:#364fc7,stroke-width:3px,color:#fff
style C1 fill:#845ef7,stroke:#5f3dc4,stroke-width:2px,color:#fff
style C2 fill:#845ef7,stroke:#5f3dc4,stroke-width:2px,color:#fff
style D1 fill:#ff922b,stroke:#e8590c,stroke-width:2px,color:#fff
style D2 fill:#ff922b,stroke:#e8590c,stroke-width:2px,color:#fff
style D3 fill:#ff922b,stroke:#e8590c,stroke-width:2px,color:#fff
style E fill:#20c997,stroke:#12b886,stroke-width:2px,color:#fff
style F fill:#fa5252,stroke:#c92a2a,stroke-width:2px,color:#fff
style G fill:#51cf66,stroke:#2f9e44,stroke-width:2px,color:#fff
Simplified flow:
Get up and running in under 2 minutes
|
macOS (Apple Silicon) curl -L -o ifrit-v0.3.2-darwin-arm64.tar.gz \
https://github.com/0tSystemsPublicRepos/IfritProxy/releases/download/v0.3.2/ifrit-v0.3.2-darwin-arm64.tar.gz
tar -xzf ifrit-v0.3.2-darwin-arm64.tar.gz
cd ifrit-v0.3.2-darwin-arm64
./install.sh |
Linux (x64) curl -LO https://github.com/0tSystemsPublicRepos/\
IfritProxy/releases/download/v0.3.2/\
ifrit-v0.3.2-linux-amd64.tar.gz
tar -xzf ifrit-v0.3.2-linux-amd64.tar.gz
cd ifrit-v0.3.2-linux-amd64
./install.sh |
Installation in action - it's really that simple!
# 1. Copy template
cp config/default.json.example config/default.json
# 2. Add your API keys
nano config/default.json # or use your favorite editorMinimal configuration to get started:
{
"llm": {
"provider": "claude", // 👈 Choose: "claude" or "gemini"
"claude": {
"api_key": "sk-ant-..." // 🔑 Get from console.anthropic.com
}
},
"proxy": {
"listen_port": 8080,
"backend_url": "http://localhost:3000" // 🎯 Your app
}
}Build the source code or Install from the available binaries
# Build the binary
go build -o ifrit ./cmd/ifrit
(optional: build ifrit-cli as well)
# Start IFRIT (runs in background)
./ifrit &
# 🎉 You're protected! Access dashboard:
open http://localhost:8443That's it! IFRIT is now protecting your application.
|
Choose your AI provider or let IFRIT auto-fallback:
{
"provider": "claude", // or "gemini"
"cache_ttl": 86400 // 24h learning
} |
Database flexibility for any scale:
# Works with both!
./ifrit-cli attack list
./ifrit-cli pattern add sql_injection |
|
Intelligent honeypot responses that learn:
Example: SQL injection gets fake user database, path traversal gets fake file listings. |
Real-time enrichment from multiple sources:
|
|
Multi-channel notifications with zero fatigue:
Rule-Based Filtering: "rules": {
"alert_on_critical": true, // ✅ Always
"alert_on_high": false, // 🔇 Quiet
"alert_on_medium": false, // 🔇 Quiet
"alert_on_low": false // 🔇 Quiet
} |
Real-time intelligence at your fingertips:
# Query your intelligence
./ifrit-cli threat top 10
./ifrit-cli attacker view 45.67.89.1
./ifrit-cli attack stats --last-24hAPI-first design - integrate with any security stack. |
🎨 Click here to expand the interactive Diagram
flowchart TD
Start([🌐 Incoming Request]) --> Stage0{🔓 Stage 0<br/>Whitelist Check}
Stage0 -->|✅ Whitelisted IP/Path| Allow[✅ ALLOW<br/>Pass to Backend]
Stage0 -->|❌ Not Whitelisted| Stage1{⚡ Stage 1<br/>Local Rules}
Stage1 -->|🎯 Attack Pattern Match| Honeypot[🍯 HONEYPOT<br/>Deceptive Response]
Stage1 -->|❓ Unknown Pattern| Stage2{💾 Stage 2<br/>Database Patterns}
Stage2 -->|📚 Known Attack| Honeypot
Stage2 -->|🆕 Novel Attack| Stage3{🤖 Stage 3<br/>LLM Analysis}
Stage3 -->|🚨 Attack Confirmed| Honeypot
Stage3 -->|✅ Legitimate| Allow
Honeypot --> TI[🔍 Threat Intelligence<br/>Enrichment]
TI --> Notify[📢 Notifications<br/>If Rules Match]
Notify --> Learn[📖 Learn & Store<br/>Pattern]
Allow --> Backend[🎯 Your Application]
Backend --> Response[📦 Real Response]
Learn --> LogAttack[(📊 Attack Database)]
style Start fill:#4c6ef5,stroke:#364fc7,stroke-width:3px,color:#fff
style Stage0 fill:#7950f2,stroke:#5f3dc4,stroke-width:2px,color:#fff
style Stage1 fill:#7950f2,stroke:#5f3dc4,stroke-width:2px,color:#fff
style Stage2 fill:#7950f2,stroke:#5f3dc4,stroke-width:2px,color:#fff
style Stage3 fill:#7950f2,stroke:#5f3dc4,stroke-width:2px,color:#fff
style Allow fill:#51cf66,stroke:#2f9e44,stroke-width:3px,color:#fff
style Honeypot fill:#ff6b6b,stroke:#c92a2a,stroke-width:3px,color:#fff
style TI fill:#ff922b,stroke:#e8590c,stroke-width:2px,color:#fff
style Notify fill:#fab005,stroke:#f08c00,stroke-width:2px,color:#fff
style Learn fill:#20c997,stroke:#12b886,stroke-width:2px,color:#fff
style Backend fill:#339af0,stroke:#1c7ed6,stroke-width:2px,color:#fff
style Response fill:#51cf66,stroke:#2f9e44,stroke-width:2px,color:#fff
style LogAttack fill:#868e96,stroke:#495057,stroke-width:2px,color:#fff
Every detected attack triggers parallel intelligence gathering in the background:
Performance Characteristics:
| Scenario | Behavior | Latency | Cost |
|---|---|---|---|
| First Attack from IP | All 3 APIs called | ~500ms | $0.003 |
| Repeat Attack (< 24h) | Cache hit, no APIs | <10ms | $0.00 |
| After 24h | Re-enrich, update cache | ~500ms | $0.003 |
💡 Result: 90%+ cache hit rate = minimal API costs + fast lookups
IFRIT learns from every attack, dramatically reducing operational costs:
| ⏰ Hour 1: Initial Learning Phase | 🚀 Hour 2: Optimized Operation |
|---|---|
|
First Exposure What Happened:
|
Cached Intelligence What Happened:
|
📊 Real-World Scenario (30 Days):
Day 1: 5,000 attacks, 200 unique → $6.00 in API costs
Day 2: 5,000 attacks, 150 new → $4.50 in API costs
Day 3: 5,000 attacks, 100 new → $3.00 in API costs
...
Day 7: 5,000 attacks, 50 new → $1.50 in API costs
Day 14: 5,000 attacks, 20 new → $0.60 in API costs
Day 30: 5,000 attacks, 10 new → $0.30 in API costs
Total: 150,000 attacks handled
Cost without caching: ~$450.00
Cost with IFRIT learning: ~$45.00
💰 Savings: $405.00 (90% reduction!)
Choose your security philosophy: trust but verify vs zero trust
| 🔍 Detection Mode (Default) | 🛡️ Allowlist Mode (Strict Zero Trust) |
|---|---|
{
"detection": {
"mode": "detection",
"enable_local_rules": true,
"enable_llm": true,
"whitelist_ips": [], // Optional
"whitelist_paths": [] // Optional
}
}
|
{
"detection": {
"mode": "allowlist",
"whitelist_ips": [
"192.168.1.100",
"10.0.0.0/24"
],
"whitelist_paths": [
"/health",
"/metrics"
]
}
}
|
|
Start with Onboarding Mode (7 days) to auto-discover legitimate patterns, then switch to your preferred mode: |
|
|
|
|
After onboarding → Switch to Detection Mode or Allowlist Mode based on your needs |
|
🎬 Execution Modes:
| Mode | Purpose | Blocking | Learning | Duration |
|---|---|---|---|---|
| 🎓 Onboarding | Learn legitimate traffic | ❌ No | ✅ Yes | 7 days (default) |
| 🛡️ Detection | Full protection | ✅ Yes | ✅ Yes | Production |
See DETECTION_MODES.md for detailed comparison and use cases.
Dashboard Overview:
The IFRIT dashboard provides real-time visibility into your security posture with:
- 📊 Threat Level Distribution - Visual breakdown of CRITICAL/HIGH/MEDIUM/LOW threats
- 🎯 Top Risky Attackers - Real-time ranking with risk scores, countries, and flags (Tor, VPN, Hosting)
- ⚡ Detection Pipeline Performance - Stage-by-stage metrics showing cache efficiency
- 📈 Attack Trends - 24-hour attack type breakdown with visual bars
- 🌍 Geographic Insights - Attack source locations with flags
Complete command-line control of your security intelligence:
# View recent attacks
./ifrit-cli attack list
# Detailed analysis
./ifrit-cli attack view 42
# Statistics
./ifrit-cli attack stats
# Filter by source
./ifrit-cli attack by-ip 45.67.89.1
# Filter by target
./ifrit-cli attack by-path /api/users
# Export to JSON
./ifrit-cli attack export \
--format json \
--output attacks.json# List learned signatures
./ifrit-cli pattern list
# View specific pattern
./ifrit-cli pattern view 15
# Add custom pattern
./ifrit-cli pattern add \
sql_injection \
"' OR '1'='1"
# Remove pattern
./ifrit-cli pattern remove 15
# Export patterns
./ifrit-cli pattern export |
# List all attackers
./ifrit-cli attacker list
# Profile details
./ifrit-cli attacker view 5
# Search by IP
./ifrit-cli attacker search 45.67.89.1
# Top attackers
./ifrit-cli attacker top 10# List exceptions
./ifrit-cli exception list
# Add IP exception
./ifrit-cli exception add \
--ip 10.0.0.1 \
--reason "Office VPN"
# Add path exception
./ifrit-cli exception add \
--path /health \
--reason "Health check"
# Remove exception
./ifrit-cli exception remove 3 |
# Recent threat intel
./ifrit-cli threat list
# IP details
./ifrit-cli threat view 45.67.89.1
# Top risky IPs
./ifrit-cli threat top 10
# Statistics
./ifrit-cli threat stats
# Force re-enrich IP
./ifrit-cli threat enrich 45.67.89.1 |
# Database statistics
./ifrit-cli db stats
# View schema
./ifrit-cli db schema
# Vacuum (SQLite only)
./ifrit-cli db vacuum
# Export database
./ifrit-cli db export backup.sql🔄 Database-agnostic: Same commands work for both SQLite and PostgreSQL! |
JSON API for seamless integration with your security stack
Integrate IFRIT with SIEM, monitoring tools, or custom dashboards using our comprehensive REST API.
All API endpoints require authentication via API token:
# Include in every request
curl -H "X-API-Token: YOUR_TOKEN_HERE" \
http://localhost:8443/api/...Generating API tokens: Configure in config/default.json under api.tokens
🚨 Attack Intelligence
# Get recent attacks
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/attacks
# Get specific attack
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/attacks/42
# Filter by IP
curl -H "X-API-Token: YOUR_TOKEN" \
"http://localhost:8443/api/attacks?ip=45.67.89.1"
# Filter by date range
curl -H "X-API-Token: YOUR_TOKEN" \
"http://localhost:8443/api/attacks?from=2024-01-01&to=2024-01-31"
# Attack statistics
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/attacks/statsResponse Example:
{
"attacks": [
{
"id": 42,
"timestamp": "2024-01-15T14:23:45Z",
"source_ip": "45.67.89.1",
"attack_type": "sql_injection",
"threat_level": "CRITICAL",
"risk_score": 92,
"detection_stage": 3,
"path": "/api/users",
"method": "POST"
}
],
"total": 1865,
"page": 1
}👤 Attacker Profiles
# List all attackers
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/attackers
# Get specific attacker profile
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/attackers/45.67.89.1
# Top attackers
curl -H "X-API-Token: YOUR_TOKEN" \
"http://localhost:8443/api/attackers/top?limit=10"Response Example:
{
"ip": "45.67.89.1",
"first_seen": "2024-01-10T08:15:30Z",
"last_seen": "2024-01-15T14:23:45Z",
"total_attacks": 234,
"attack_types": ["sql_injection", "path_traversal", "xss"],
"risk_score": 87,
"threat_level": "HIGH",
"country": "CN",
"is_vpn": false,
"is_tor": false,
"is_hosting": true
}🧬 Learned Patterns
# Get all patterns
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/patterns
# Get pattern by ID
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/patterns/15
# Add new pattern
curl -X POST \
-H "X-API-Token: YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"attack_type": "sql_injection",
"signature": "' OR 1=1--",
"confidence": 0.95
}' \
http://localhost:8443/api/patterns🔍 Threat Intelligence
# Threat intel statistics
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/threat-intel/stats
# Top risky IPs
curl -H "X-API-Token: YOUR_TOKEN" \
"http://localhost:8443/api/threat-intel/top?limit=10"
# Get IP details
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/threat-intel/45.67.89.1
# Force re-enrich IP
curl -X POST \
-H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/threat-intel/45.67.89.1/enrichResponse Example:
{
"ip": "45.67.89.1",
"risk_score": 87,
"threat_level": "HIGH",
"abuseipdb": {
"score": 91,
"total_reports": 156,
"last_reported": "2024-01-14T10:30:00Z"
},
"virustotal": {
"malicious": 3,
"suspicious": 1
},
"ipinfo": {
"country": "CN",
"city": "Shanghai",
"is_vpn": false,
"is_proxy": false,
"is_tor": false,
"is_hosting": true
},
"cached_at": "2024-01-15T14:23:45Z"
}📢 Notifications Configuration
# Get notification config
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/notifications/config
# Update notification rules
curl -X POST \
-H "X-API-Token: YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"alert_on_critical": true,
"alert_on_high": true,
"alert_on_medium": false,
"alert_on_low": false
}' \
http://localhost:8443/api/notifications/config/update
# Get notification history
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/notifications/history
# Test notifications
curl -X POST \
-H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/notifications/test💾 Cache Management
# Get cache statistics
curl -H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/cache/stats
# Clear threat intel cache
curl -X POST \
-H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/cache/clear
# Clear specific IP from cache
curl -X DELETE \
-H "X-API-Token: YOUR_TOKEN" \
http://localhost:8443/api/cache/45.67.89.1📚 Complete API Documentation: See API_ENDPOINTS.md for full reference including request/response schemas, error codes, and rate limits.
Sensitive data is automatically redacted before reaching external LLMs:
| Redacted | Preserved |
|---|---|
| 🔒 Auth tokens & credentials | ✅ HTTP method/path |
| 🔒 Session cookies | ✅ Attack patterns |
| 🔒 API keys | ✅ Content-Type |
| 🔒 Email addresses | ✅ User-Agent |
| 🔒 Personal information | ✅ Attack signatures |
Compliance coverage:
- ✅ GDPR - PII anonymized before external API calls
- ✅ HIPAA - PHI protected from third parties
- ✅ PCI-DSS - Credit card data redacted
- ✅ CCPA - User data minimization enforced
See ANONYMIZATION_TESTING.md for details.
Claude (Recommended for security):
{
"llm": {
"provider": "claude",
"claude": {
"api_key": "${ANTHROPIC_API_KEY}",
"model": "claude-sonnet-4-20250514",
"max_tokens": 4096,
"temperature": 0.0
}
}
}Gemini (Cost-effective alternative):
{
"llm": {
"provider": "gemini",
"gemini": {
"api_key": "${GOOGLE_API_KEY}",
"model": "gemini-2.0-flash-exp",
"max_tokens": 4096,
"temperature": 0.0
}
}
}SQLite (Default - Zero Config):
{
"database": {
"type": "sqlite",
"sqlite": {
"path": "./data/ifrit.db"
}
}
}PostgreSQL (Enterprise Scale):
{
"database": {
"type": "postgresql",
"postgresql": {
"host": "localhost",
"port": 5432,
"user": "ifrit_user",
"password": "${POSTGRES_PASSWORD}",
"database": "ifrit",
"ssl_mode": "require"
}
}
}When to use which:
- SQLite: Single server, < 1M attacks/day, quick setup
- PostgreSQL: Clusters, > 1M attacks/day, enterprise needs
Enable external enrichment:
{
"threat_intelligence": {
"enabled": true,
"cache_ttl_hours": 24,
"enrichment_workers": 3,
"apis": {
"abuseipdb": {
"enabled": true,
"api_key": "${ABUSEIPDB_API_KEY}"
},
"virustotal": {
"enabled": true,
"api_key": "${VIRUSTOTAL_API_KEY}"
},
"ipinfo": {
"enabled": true,
"api_key": "${IPINFO_API_KEY}"
}
},
"threat_level_thresholds": {
"critical": 80,
"high": 60,
"medium": 40,
"low": 0
}
}
}Multi-channel alerts with rule-based filtering:
{
"notifications": {
"enabled": true,
"providers": {
"email": {
"enabled": true,
"smtp_host": "smtp.gmail.com",
"smtp_port": 587,
"smtp_username": "${SMTP_USERNAME}",
"smtp_password": "${SMTP_PASSWORD}",
"from_address": "alerts@ifrit.local"
},
"slack": {
"enabled": true,
"webhook_url": "${SLACK_WEBHOOK_URL}"
},
"twilio": {
"enabled": false,
"account_sid": "${TWILIO_ACCOUNT_SID}",
"auth_token": "${TWILIO_AUTH_TOKEN}",
"from_number": "${TWILIO_FROM_NUMBER}",
"to_number": "${TWILIO_TO_NUMBER}"
}
},
"rules": {
"alert_on_critical": true,
"alert_on_high": false,
"alert_on_medium": false,
"alert_on_low": false
}
}
}Pro tip: Start with only CRITICAL alerts enabled to avoid alert fatigue.
| Document | Description |
|---|---|
| START_HERE.md | Navigation guide for all docs |
| INSTALLATION.md | Detailed setup instructions |
| DETECTION_MODES.md | Detection vs Allowlist comparison |
| THREAT_INTELLIGENCE.md | Intelligence gathering guide |
| NOTIFICATIONS.md | Alert system configuration |
| API_ENDPOINTS.md | Complete REST API reference |
| FEATURES.md | Complete feature list |
| DECEPTIVE_PAYLOADS_MANAGEMENT.md | Honeypot response system |
| ANONYMIZATION_TESTING.md | Privacy & compliance details |
v0.4.0 - Enhanced Intelligence
- Keycloak authentication integration
- Redesigning the admin portal
- Database-stored configuration
- Machine learning scoring improvements
- Attack deduplication
v0.5.0 - Enterprise Features
- Advanced SIEM integrations (Wazuh, Splunk, ELK)
- MySQL/MariaDB support
- Clustering & load balancing
- Notification scheduling & quiet hours
v0.6.0 - Automation
- Response automation
- Escalation policies
- Notification batching
- Advanced threat correlation
IFRIT is open source under Apache License 2.0. We welcome contributions!
Areas needing help:
- 🧠 New LLM providers (GPT, Llama, Mistral)
- 🔗 SIEM integrations (Wazuh, Splunk, ELK)
- 🌐 Threat intelligence providers
- 📢 Notification channels (Discord, Teams, PagerDuty)
- 🎭 Payload templates for new attack types
- 📖 Documentation improvements
- 🐛 Bug fixes and optimizations
See CONTRIBUTING.md for guidelines.
Commercial Support: For enterprise deployments, custom integrations, or consulting:
- Email: ifrit@0t.systems
- Web: 0t.Systems
| Metric | Value |
|---|---|
| Detection Accuracy | 99.2% |
| Avg Response Time | < 15ms |
| Cost Reduction | 90% after learning |
| Supported LLMs | Claude, Gemini |
| Database Options | SQLite, PostgreSQL |
| Threat Intel Sources | 3 (AbuseIPDB, VirusTotal, IPInfo) |
| Notification Channels | 4 (Email, Slack, SMS, Webhook) |
IFRIT Proxy is licensed under Apache License 2.0.
Commercial support, custom integration, or consulting:
📧 ifrit@0t.systems
Built with:
- Go - High-performance runtime
- SQLite / PostgreSQL - Data persistence
- Anthropic Claude - AI security analysis
- Google Gemini - Cost-effective AI alternative
- AbuseIPDB - IP reputation intelligence
- VirusTotal - Malware detection
- IPInfo - Geolocation & privacy detection
Special thanks to the security community for threat intelligence and pattern contributions.
Made with 🔥 by 0t.Systems
Turning attackers into intelligence sources, one honeypot at a time
Questions? Issues? Ideas?
📧 Email: ifrit@0t.systems
🐛 Report bugs: GitHub Issues
💬 Discussions: GitHub Discussions
