DEV.co
Open-Source Security · 0x4D31

galah

Galah is an LLM-powered web honeypot written in Go that dynamically generates HTTP responses to arbitrary requests using large language models from providers like OpenAI, Google, Anthropic, and Ollama. It caches responses to reduce API costs and optionally integrates Suricata rules for request inspection.

Source: GitHub — github.com/0x4D31/galah
655
GitHub stars
67
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repository0x4D31/galah
Owner0x4D31
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars655
Forks67
Open issues6
Latest releasev1.1.1 (2025-07-24)
Last updated2025-07-24
Sourcehttps://github.com/0x4D31/galah

What galah is

Galah leverages LLM APIs to craft contextually appropriate HTTP headers and body content for any incoming request, using port-specific response caching and SQLite for persistence. It supports optional Suricata HTTP rule matching against method, URI, headers, cookies, and body content with limited PCRE support.

Quickstart

Get the galah source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/0x4D31/galah.gitcd galah# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Threat Intelligence & Attack Surface Monitoring

Deploy as a low-interaction honeypot to detect and log reconnaissance attempts, vulnerability scanning, and attack patterns without manual application emulation.

Security Research & Red Team Operations

Generate diverse, realistic HTTP responses to study attacker behavior, test detection systems, and gather data on exploitation techniques.

Deception Infrastructure at Scale

Quickly spin up multiple honeypot instances across different ports with varying application profiles without maintaining separate vulnerable applications.

Implementation considerations

  • Set strict usage limits on LLM API keys to prevent Denial of Wallet attacks; monitor API consumption and set alerts.
  • Response generation latency depends on LLM provider and model; expect variable delays that may not match real application behavior.
  • Honeypot may be fingerprinted via response timing, non-standard header patterns, or behavioral anomalies; not designed as production application camouflage.
  • Suricata rule matching is functional but incomplete; PCRE support is limited and not all Suricata keywords are implemented.
  • Cache configuration (duration, port-specificity) must align with traffic patterns and threat modeling goals; misconfiguration may hide or over-suppress legitimate attack detection.

When to avoid it — and what to weigh

  • High-Fidelity Application Emulation Required — If you need precise behavioral mimicry of specific applications (e.g., exact database responses, complex state management), traditional emulation honeypots are more reliable.
  • Cost-Sensitive LLM API Usage — Each unique request generates an LLM API call; high-volume traffic requires careful cost management and rate limiting or risks significant API bills.
  • No Internet Connectivity Available — Requires live connection to external LLM providers (except Ollama, which needs local setup); offline-only environments cannot use cloud LLM providers.
  • Deterministic, Reproducible Responses Needed — LLM-generated responses are non-deterministic by nature; if you need identical responses for forensic or audit purposes, response variability may be problematic.

License & commercial use

Licensed under Apache License 2.0, a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability disclaimer.

Apache-2.0 permits commercial deployment. However, you are responsible for: (1) paying LLM API costs from your chosen provider(s); (2) complying with each LLM provider's terms of service for commercial use; (3) understanding that the project is explicitly noted as a 'fun weekend project' without production security guarantees. Verify provider terms before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Galah itself does not validate or sanitize LLM-generated responses before sending; responses are trusted. Consider: (1) LLM injection attacks via crafted requests that cause unintended LLM behavior; (2) credential exposure if API keys logged or cached insecurely; (3) Denial of Wallet via high-volume requests; (4) LLM provider API account compromise affects honeypot integrity; (5) caching stores request/response bodies on disk (sqlite)—no mention of encryption at rest. Suricata rule matching does not prevent false negatives; rule coverage gaps exist. No explicit mention of input validation on config files or network isolation requirements.

Alternatives to consider

Cowrie (SSH/Telnet Honeypot)

Traditional, lower-cost honeypot with static/manual emulation; no LLM dependency. Better for SSH/Telnet; less flexible for HTTP variety.

Glastopus / WAFF (Web Application Honeypots)

Purpose-built HTTP honeypots with pre-coded application profiles; deterministic responses. No LLM API costs; better for specific app emulation; less adaptive to novel requests.

Honeyd (Network Honeypot)

Lightweight, multi-protocol emulation at network level. Lower latency; no LLM costs; less sophisticated HTTP response crafting.

Software development agency

Build on galah with DEV.co software developers

Galah accelerates honeypot deployment via LLM-powered response generation. For production integration, threat modeling, scaling, and cost optimization, our security engineering team can help architect your deception infrastructure.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

galah FAQ

How much does it cost to run Galah?
Cost depends entirely on your LLM provider (OpenAI, Google, Anthropic, etc.). Each unique HTTP request triggers one LLM API call unless cached. Response caching (default 24 hours, port-specific) reduces repeated costs. Set usage limits on your API key to prevent runaway bills.
Can Galah run offline?
Only if you use Ollama (local LLM server). Cloud LLM providers (OpenAI, Google, Anthropic, Cohere, GCP Vertex AI) require internet connectivity. Ollama requires local setup and hardware sufficient to run LLM models.
How realistic are Galah's responses?
Responses are contextually plausible but non-deterministic and may exhibit LLM artifacts or timing delays. Not suitable for production application camouflage. Honeypot may be fingerprinted via response timing, patterns, or behavioral inconsistencies.
What are the Suricata rule limitations?
Suricata HTTP rule matching is functional but incomplete: not all Suricata keywords are supported, and PCRE handling is limited. Rules are effective for common HTTP patterns but gaps may exist; review rule coverage for your threat model.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like galah. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to Deploy Intelligent Deception Infrastructure?

Galah accelerates honeypot deployment via LLM-powered response generation. For production integration, threat modeling, scaling, and cost optimization, our security engineering team can help architect your deception infrastructure.