Many of today's most advanced attacks now happen at the web application layer. This solution is designed to capture information on the latest web application attacks using scalable and easy to deploy low-interaction server honeypots.
Primary Mentor: Thorsten Holz
Student: Lukas Rist
Glastopf is a minimalistic web server emulator written in Python. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming request for strings like "=http://" or "=ftp://". If this matches, we try to download and analyze the file and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends us for example a bot, shell or spreader. Those files could for example be analyzed for IRC information to infiltrate the botnet behind this kind of attacks. The collected data is stored in a MySQL database that can be browsed via a web interface.
Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG!
The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.
Last saturday I've finally released a new Glastopf version. There are some new features and many changes under the hood.
Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project.
My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot.