Honeypots mailing list archives
Re: Simulating web traffic
From: Valdis.Kletnieks () vt edu
Date: Wed, 16 Jun 2004 15:59:36 -0400
On Wed, 16 Jun 2004 15:50:54 EDT, PCSage Information Services said:
Would it not make sense to use valid logs to simulate user activity?? i.e. have a perl script parse some old logs (perhaps a database of logs so that they can be refreshed periodically so as to not look manufactured) and use these old logs to mimic the traffic already received? you can have the script use 3rd party proxy servers ( i.e. anonymizer ) to simulate the connections coming externally. Worthy of investigation me thinks...
I think that would fall under "heavy modification of a spider" ;) But yes, you'd have to do something like that to make it look right.. Again though - if your *normal* live traffic has one distribution (such as "scattered all over every DSL and cablemodem provider in the US" or "different users from all over the corporate net", funnelling all the requests through one (or a small number of) anonymizer will still be pretty obvious. :) Here's the simple test - take your production webserver logfile summary tool that produces hits/sources/time spent/top pages reports, and feed it your production logfile. Now feed your honeypot faked love to it, and see if it "looks different". If it doesn, you can plan that the attacker will notice that too, when they run the same tools....
Attachment:
_bin
Description:
Current thread:
- Simulating web traffic Aitor Facio Valero (Jun 16)
- Re: Simulating web traffic Lorenzo Hernandez Garcia-Hierro (Jun 16)
- Re: Simulating web traffic Valdis . Kletnieks (Jun 16)
- Re: Simulating web traffic Lorenzo Hernandez Garcia-Hierro (Jun 16)
- Re: Simulating web traffic PCSage Information Services (Jun 16)
- Re: Simulating web traffic Valdis . Kletnieks (Jun 16)
- Re: Simulating web traffic Valdis . Kletnieks (Jun 16)
- Re: Simulating web traffic Lorenzo Hernandez Garcia-Hierro (Jun 16)