A Rust-based open source project that captures early suspicious activity using distributed decoy sensors, addressing the challenge of scattered early warning signals in security telemetry.
I recently published Deception Mesh, an open source Rust project designed to capture early suspicious activity using distributed decoy sensors. The project emerged from a concrete problem: many early signals of reconnaissance or offensive exploration get lost in scattered logs or lack sufficient context for effective triage.
A simple HEAD /login, a request to /wp-login.php, or an invalid SSH attempt rarely seem like "major events," but they can be the first useful indication of malicious activity. Deception Mesh aims to collect and contextualize these early warning signals before they escalate.
Project Architecture
The MVP focuses on a simple, reproducible architecture:
- Sensor agent with HTTP and SSH honeypots
- Control plane with authentication, RBAC, and multi-tenant management
- PostgreSQL persistence for structured data storage
- Severity rules for automated threat classification
- Webhook integration for real-time alerting
- CSV export for offline analysis
- Docker-based quickstart and E2E testing scripts
Technical Implementation
Built in Rust for performance and safety, the project demonstrates practical systems design patterns:
- Concurrency handling for multiple simultaneous honeypot connections
- Network protocol parsing for HTTP and SSH traffic
- Event-driven architecture for real-time telemetry processing
- Rule engine for dynamic severity assessment
- Multi-tenant isolation in the control plane
Design Philosophy
A key principle was avoiding overpromising. I'm presenting this as a functional, documented MVP that's honest about its current hardening limitations. The focus is on creating a reproducible foundation that others can build upon and extend.
Use Cases
This project is particularly relevant for:
- Rust developers interested in systems programming and security
- Defensive security practitioners building early warning systems
- Operational telemetry engineers designing distributed monitoring
- Security researchers studying attack patterns and reconnaissance
Getting Started
The project includes Docker-based deployment for easy experimentation. The control plane provides a web interface for sensor management, rule configuration, and event analysis.
Future Directions
While the MVP provides core functionality, potential extensions include:
- Additional protocol support (FTP, SMTP, database protocols)
- Machine learning integration for anomaly detection
- Distributed sensor orchestration
- Integration with SIEM systems
- Advanced threat intelligence enrichment
For more details, visit the public landing page where you'll find documentation, setup instructions, and contribution guidelines.
Related Resource: If you're working on debugging distributed systems, check out Sentry MCP and Cursor for smarter debugging that can investigate real issues, understand their impact, and suggest fixes based on actual production context.
Comments
Please log in or register to join the discussion