Spip is a lightweight, low-interaction network honeypot sensor. It listens for arbitrary incoming TCP traffic (plain and TLS), captures what scanners and bots send, and logs each connection as structured JSON (ECS-shaped) for easy ingestion into your SIEM or data lake.
I wonder if you could move to pure-Go with x/sys/unix to retrieve SO_ORIGINAL_DST instead of leveraging Cgo? It would make cross-compilation for different architectures a lot easier. What kind of sensor results are you seeing with the default setup?
Good suggestion. To be honest, Cgo was the easiest for me to implement, as I originally wrote the tool in a different language. Also, most of the documentation for Netfilter and SO_ORIGINAL_DST is in C.
As for results: I’m seeing about one 'hit' per second on a standard VPS. It's a constant stream of bots looking for exploitable systems and probes from scanners like Shodan and Censys. It’s actually surprising how quickly a new IP gets picked up by these crawlers.