Using a Honeypot to Debug HTTP Requests

You might run into some scenarios where you need to inspect the content of an HTTP request,
or just a placeholder HTTP server for tests / development,
or even just a honeypot to intercept some internet traffic for analysis.

In some cases, you can just use a utility like netcat or python3 -m http.server 8000 to quickly spin up an HTTP server for request interception.
But I found that a dedicated honeypot is a better fit for this job.

Beelzebub is a low-code-configuration honeypot that can host SSH/HTTP servers and behave however you configure it.

Setup and configuration

You can spin it up with docker compose like this.

Folder structure

----- beelzebub
|  |-- configurations
|  | |--services
|  |   |--service-you-want-to-spin.yaml
|  |-- beelzebub.yaml
|-- docker-compose.yml

You can use the sample configurations/beelzebub.yaml
and docker-compose.yml as is.

In this example, I will construct a “catch-all HTTP honeypot server” in configurations/services/service-you-want-to-spin.yaml.

apiVersion: "v1"
protocol: "http"
address: ":8080"
description: "Catch All point"
commands:
  - regex: ".*"
    statusCode: 200

And that’s enough to spin up a honeypot that catches all HTTP requests.

When I send a curl request to the honeypot:

$ curl http://localhost:8080 -X POST -d “hello this is a payload”

I can inspect the request by checking the Beelzebub docker logs.

{
  "event": {
    "DateTime": "2025-11-22T15:13:51Z",
    "RemoteAddr": "172.22.0.1:41728",
    "Protocol": "HTTP",
    "Command": "",
    "CommandOutput": "",
    "Status": "Stateless",
    "Msg": "HTTP New request",
    "ID": "9cfaafdd-4b96-4180-bee3-7e5a93e1c469",
    "Environ": "",
    "User": "",
    "Password": "",
    "Client": "",
    "Headers": "[Key: User-Agent, values: curl/8.5.0],[Key: Accept, values: */*],[Key: Content-Length, values: 23],[Key: Content-Type, values: application/x-www-form-urlencoded],",
    "HeadersMap": {
      "Accept": [
        "*/*"
      ],
      "Content-Length": [
        "23"
      ],
      "Content-Type": [
        "application/x-www-form-urlencoded"
      ],
      "User-Agent": [
        "curl/8.5.0"
      ]
    },
    "Cookies": "",
    "UserAgent": "curl/8.5.0",
    "HostHTTPRequest": "localhost:8080",
    "Body": "hello this is a payload",
    "HTTPMethod": "POST",
    "RequestURI": "/",
    "Description": "Catch All point",
    "SourceIp": "172.22.0.1",
    "SourcePort": "41728",
    "TLSServerName": "",
    "Handler": ""
  },
  "level": "info",
  "msg": "New Event",
  "status": "Stateless"
}