The Honeynet Project

Many of today's most advanced attacks now happen at the web application layer.  This solution is designed to capture information on the latest web application attacks using scalable and easy to deploy low-interaction server honeypots.

Primary Mentor: Thorsten Holz
Student: Lukas Rist
Glastopf is a minimalistic web server emulator written in Python. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming request for strings like "=http://" or "=ftp://". If this matches, we try to download and analyze the file and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends us for example a bot, shell or spreader. Those files could for example be analyzed for IRC information to infiltrate the botnet behind this kind of attacks. The collected data is stored in a MySQL database that can be browsed via a web interface.

 
Deliverables:

• Improvement of the included files parser.
• A central MySQL database to consolidate the collected data.
• The central vulnerability database: The Google dork list could be automatically extended by unknown attack strings.
• A template system for common web applications to provide a larger attack surface for the honeypot.
• External interfaces to Glastopf such that other projects can also integrate the collected information.
• Informing owners of compromised web pages with the information collected in the central database.
• Project documentation in the TRAC wiki.
• Analysis of the collected files.
• Statistical analysis of the collected attack information.
• Code cleanup. There are many lines to revise.

 
Timeline:
From 23.05.2009:

• Coding start

Due 20.06.2009:

• Central Database
• Vulnerability Database

Due 20.07.2009:

• Improved file parser and analysis
• Template system
• Statistical analysis

Due 05.08.2009:

• Documentation
• Code cleanup

10.08.2009:

• Pencils down