Re: regarding http emulation

[Richard Stevens <mail () richardstevens de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> PLEASE let me know what is the use of http emulation
> for honeypots. Like in  telnet and ftp emulation ...we
> are keeping track of the activities of attacker
> ....but how does HTTP EMULATION HELP HONEYPOT GAIN
> INFORMATION ABOUT THE ATTACKER.

Hi,

this depends mainly on what you intend to see and the decision on wether or 
not and how the service is implemented should be based on that intention, 
too. 

Example:

If your honeypot is supposed to be an early warning system for worms or some 
kind of activity sensor for worms, a fake service should be enough. You'll be 
able to gather information about the number of tried connects and the strings 
being used. Those connection requests often give information about what tried 
to connect. This for example is a worm:

[Sun Feb  9 10:29:04 2003] [error] [client 217.210.36.14] File does not exist: 
gesperrt/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe

In case of a sudden increase in connects you can guess and with your honeypot 
confirm that there is some new worm in the wild. The fake service makes sure 
that your system is not going to be infected. If it was a real server, you 
never know, the new worm might just successfully attack the real server you 
are running on your honeypot. 


Depending on the goals of your honeypot, you might not at all be interested in 
that kind of data. For that reason it's imho not possible to give a definite 
answer to your question. A fake server might be enough for you, maybe what 
you want to see needs a real server though. Hard to tell :-)

Hope that helped a little,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+RkBJWQvEMJfcXlQRAn7xAKCoiFrvFJ8/rejcQ0INcY0k634B+QCgieWd
w/AmiltIWmKra6oFalfNC5c=
=JOyc
-----END PGP SIGNATURE-----