The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.
The Web Honeypot is a part of DShield project which aimed to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. It collect logs for webapps to supplement the extensive data collection Dshield already collects on network level activity. The Web Honeypot will not just look for "attacks" but it will also look for "probes" as well. If they are malicious or not can only be determined in context.
The Web Honeypot itself is a simple PHP page (index.php) designed to mimic several webapps, will works with an existing account in DShield and gather information in the wild application level attacks . The installation is simple but requires a good number of submitters in order to provide conclusive data. The Web Honeypot will logs the URL and header information such as ip address, host, user agent, referrer from all requests and match it against expression in config.txt before posting it to the DShield database. Some expression in the config.txt will cause the Web Honeypot to respond to attacker by presenting templates associated with it, this normally occurs when an attacker is looking for installations of a particular application common paths and filenames. The templates and patterns are further customizable in the templates folder of the Web Honeypot.
Download: Here
Saturday, July 18, 2009
DShield Web Honeypot Project
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment