DShield Web Honeypot Project – Alpha Version Released

Outsmart Malicious Hackers


For those of you who are not familiar with DShield (where have you been? under a rock?) it’s a Cooperative Network Security Community. Basically what that means is they collect firewall logs and map out the trends.

Like when there was a worm going around that bruteforced SSH2 you could see a spike in port 22 traffic, to quote the about page.

The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.

Currently the system is tailored to process outputs of simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.

If you want to know how to submit you can find out here.

Anyway to get back to the point, with the trend for development moving towards web applications DShield has come out with a Web Honeypot project.

The overall idea is to build something like DShield (which collects firewall logs) for webapps.

The goal of the project is to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. First of all, we will not just look for “attacks”. We look for “probes”. If they are malicious or not can only be determined in context.

We will not look for 0-day style or targeted attacks. Maybe we will get lucky and catch one. But in order to detect them, we would need sensors in specific networks. What we are after is more the “background noise”.

How does it work?
A: The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.

Should I run this on my production environment?
A: That depends on your risk tolerance. If your organization is willing to approve it, then the program itself is designed so that it can run as a virtual host under apache. You could assign unused IP addresses to the honeypot virtual host.

Can I run this at home?
A: Several people already are. If you can forward port 80 to your honeypot machine, then it will work.
Installation:

Will the Web Honeypot work on my OS?
A: Currently the Web Honeypot works on Windows (2000 or later) and Linux OS with install packages available for: Debian, Redhat, openSUSE and Mac OSX.

Does it run on Windows/IIS/PHP?
A: It should with some minor modifications. IIS does not support the same redirection of all requests that apache does.

You can download the Web Honeypot here:

webhoneypot-alpha.tgz

Or read more here.

Posted in: Countermeasures, Forensics, Security Software, Web Hacking

, , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.