Re: Simulating web traffic

[Valdis.Kletnieks () vt edu]

On Wed, 16 Jun 2004 15:50:54 EDT, PCSage Information Services said:
> Would it not make sense to use valid logs to simulate user activity?? 
> i.e. have a perl script parse some old logs (perhaps a database of logs 
> so that they can be refreshed periodically so as to not look 
> manufactured) and use these old logs to mimic the traffic already 
> received? you can have the script use 3rd party proxy servers ( i.e. 
> anonymizer ) to simulate the connections coming externally. Worthy of 
> investigation me thinks...

I think that would fall under "heavy modification of a spider" ;)

But yes, you'd have to do something like that to make it look right..

Again though - if your *normal* live traffic has one distribution (such as
"scattered all over every DSL and cablemodem provider in the US" or
"different users from all over the corporate net", funnelling all the requests
through one (or a small number of) anonymizer will still be pretty obvious. :)

Here's the simple test - take your production webserver logfile summary tool
that produces hits/sources/time spent/top pages reports, and feed it your
production logfile.

Now feed your honeypot faked love to it, and see if it "looks different".  If
it doesn, you can plan that the attacker will notice that too, when they run
the same tools....

Attachment: _bin
Description: