Honeypots mailing list archives
Re: Honeypot webserver question
From: Guillaume Vissian <somebodyishere () gmail com>
Date: Mon, 4 Jul 2005 10:52:08 +0200
I don't know any "plug and play" honey webserver but you can easily build one... with some correct logs rules and a secured (i mean chrooted ) install of the webserver you will see all move from the attacker, and after building a behavior model. And finally find some 0-days and such... G. 2005/7/4, ChayoteMu <chayotemu () gmail com>:
I tried to google info on this question but couldn't find anything specific to what I'm after so I'm sending this out to the list. Thanks in advance for any responses. Question: Is it possible to run a web server on a honeypot that will serve the pages and work as a regular server except with the extras of being a honeypot, ie logging and prevention measures? I'm asking because I had an idea for a pair of webservers behind an IDS/Firewall. Regular traffic goes to the primary web server but suspicious traffic gets dumped onto the honeypot server. This lets false positives view the site but not have access to any other services (FTP or anything else on the real server) and gives a good idea of what they'd try to do to the clean server so you could catch 0-days and such. And if you're bored you can update the honeyserver semi-regularly to get all the new goodies on there for attackers to go after (with some changes obviously). I know you can emulate web servers with various methods but I'm curious if there's somebody/group doing that now or a tool anyone knows of for it. -- "To catch a thief, think like a thief. To catch a master thief, be a master thief."
Current thread:
- Honeypot webserver question ChayoteMu (Jul 03)
- Re: Honeypot webserver question Jess Garcia (Jul 04)
- Re: Honeypot webserver question Guillaume Vissian (Jul 04)
- <Possible follow-ups>
- RE: Honeypot webserver question Soi, Dhruv (Jul 04)
- Re: Honeypot webserver question Elcesar (Jul 05)