For those of you who are not familiar with DShield (where have you been? under a rock?) it’s a Cooperative Network Security Community. Basically what that means is they collect firewall logs and map out the trends.
Like when there was a worm going around that bruteforced SSH2 you could see a spike in port 22 traffic, to quote the about page.
The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.
Currently the system is tailored to process outputs of simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.
If you want to know how to submit you can find out here.
Anyway to get back to the point, with the trend for development moving towards web applications DShield has come out with a Web Honeypot project.
The overall idea is to build something like DShield (which collects firewall logs) for webapps.
The goal of the project is to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. First of all, we will not just look for “attacks”. We look for “probes”. If they are malicious or not can only be determined in context.
We will not look for 0-day style or targeted attacks. Maybe we will get lucky and catch one. But in order to detect them, we would need sensors in specific networks. What we are after is more the “background noise”.
How does it work?
A: The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.
Should I run this on my production environment?
A: That depends on your risk tolerance. If your organization is willing to approve it, then the program itself is designed so that it can run as a virtual host under apache. You could assign unused IP addresses to the honeypot virtual host.
Can I run this at home?
A: Several people already are. If you can forward port 80 to your honeypot machine, then it will work.
Will the Web Honeypot work on my OS?
A: Currently the Web Honeypot works on Windows (2000 or later) and Linux OS with install packages available for: Debian, Redhat, openSUSE and Mac OSX.
Does it run on Windows/IIS/PHP?
A: It should with some minor modifications. IIS does not support the same redirection of all requests that apache does.
You can download the Web Honeypot here:
Or read more here.