Honeypots mailing list archives
Re: regarding http emulation
From: Richard Stevens <mail () richardstevens de>
Date: Sun, 9 Feb 2003 12:49:27 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
PLEASE let me know what is the use of http emulation for honeypots. Like in telnet and ftp emulation ...we are keeping track of the activities of attacker ....but how does HTTP EMULATION HELP HONEYPOT GAIN INFORMATION ABOUT THE ATTACKER.
Hi, this depends mainly on what you intend to see and the decision on wether or not and how the service is implemented should be based on that intention, too. Example: If your honeypot is supposed to be an early warning system for worms or some kind of activity sensor for worms, a fake service should be enough. You'll be able to gather information about the number of tried connects and the strings being used. Those connection requests often give information about what tried to connect. This for example is a worm: [Sun Feb 9 10:29:04 2003] [error] [client 217.210.36.14] File does not exist: gesperrt/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe In case of a sudden increase in connects you can guess and with your honeypot confirm that there is some new worm in the wild. The fake service makes sure that your system is not going to be infected. If it was a real server, you never know, the new worm might just successfully attack the real server you are running on your honeypot. Depending on the goals of your honeypot, you might not at all be interested in that kind of data. For that reason it's imho not possible to give a definite answer to your question. A fake server might be enough for you, maybe what you want to see needs a real server though. Hard to tell :-) Hope that helped a little, Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+RkBJWQvEMJfcXlQRAn7xAKCoiFrvFJ8/rejcQ0INcY0k634B+QCgieWd w/AmiltIWmKra6oFalfNC5c= =JOyc -----END PGP SIGNATURE-----
Current thread:
- regarding http emulation Sujata Y (Feb 09)
- Re: regarding http emulation Richard Stevens (Feb 09)