DShield Web Honeypot Project – Alpha Version Released


For those of you who are not familiar with DShield (where have you been? under a rock?) it’s a Cooperative Network Security Community. Basically what that means is they collect firewall logs and map out the trends.

Like when there was a worm going around that bruteforced SSH2 you could see a spike in port 22 traffic, to quote the about page.

The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.

Currently the system is tailored to process outputs of simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.

If you want to know how to submit you can find out here.

Anyway to get back to the point, with the trend for development moving towards web applications DShield has come out with a Web Honeypot project.

The overall idea is to build something like DShield (which collects firewall logs) for webapps.

The goal of the project is to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. First of all, we will not just look for “attacks”. We look for “probes”. If they are malicious or not can only be determined in context.

We will not look for 0-day style or targeted attacks. Maybe we will get lucky and catch one. But in order to detect them, we would need sensors in specific networks. What we are after is more the “background noise”.

How does it work?
A: The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.

Should I run this on my production environment?
A: That depends on your risk tolerance. If your organization is willing to approve it, then the program itself is designed so that it can run as a virtual host under apache. You could assign unused IP addresses to the honeypot virtual host.

Can I run this at home?
A: Several people already are. If you can forward port 80 to your honeypot machine, then it will work.
Installation:

Will the Web Honeypot work on my OS?
A: Currently the Web Honeypot works on Windows (2000 or later) and Linux OS with install packages available for: Debian, Redhat, openSUSE and Mac OSX.

Does it run on Windows/IIS/PHP?
A: It should with some minor modifications. IIS does not support the same redirection of all requests that apache does.

You can download the Web Honeypot here:

webhoneypot-alpha.tgz

Or read more here.

Posted in: Countermeasures, Forensics, Security Software, Web Hacking

, , ,


Latest Posts:


Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.


Comments are closed.