Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Web honeypot Update InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Web honeypot Update

Published: 2009-10-26
Last Updated: 2009-10-26 12:59:59 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We just released a significant update to our web honeypot. If you are running it, please update (and make sure automatic updates are enabled).

If you are not running the honeypot yet, here is how to get started:

Prerequisits:

- you will need Apache and PHP (should work on Windows, but we do most of our testing on Linux)
- you DO NOT need to dedicate an IP address to the honeypot. It will work fine as a virtual host.

Getting Started

- log in to "My ISC"/"My DShield" https://isc.sans.org/myisc.html
- click on "My Information" https://isc.sans.org/myinfo.html
- find the web logs signup form on the page (see image below). Fill in your information.


honeypot signup image

 

- The "Latest honeypot version" link will link to the honeypot. Download it
- create an empty directory (e.g. /srv/www/vhosts/webhoneypot )
- uncompress the webhoneypot into this EMPTY directory. (tar xzvf webhoneypot.tgz)
- configure the honeypot using our configure script: lib/config.php

The 'docs' directory includes a sample apache configuration (honeypot.dshield.org.conf). You will need to adjust the directory.

Please let me know if you are running into any issues, and THANKS a lot for your help. The data will be publicly available to anybody interested in helping us analyze the data.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)
Diary Archives