[Dshield] Web honeypot project

Tomas L. Byrnes tomb at byrneit.net
Mon Apr 27 04:09:41 GMT 2009 

Snort logs are correlated by a project that Matt Jonkman runs over @ EmergingThreats called Sidreporter. 

 

http://doc.emergingthreats.net/bin/view/Main/SidReporter

http://www.emergingthreats.org/index.php/sidreporter-statistics.html

 

 

 

 

From: list-bounces at lists.sans.org [mailto:list-bounces at lists.sans.org] On Behalf Of Irrational Pi
Sent: Tuesday, March 03, 2009 8:35 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Web honeypot project

 

how about just sending a destination-mulched Apache error.log for pages requested with no corresponding production page.  It gives you the URL probed with no additional tools required.  I've been using it happily for almost 2 years.

On Wed, Feb 18, 2009 at 1:41 PM, John Hardin <jhardin at impsec.org> wrote:

On Tue, 17 Feb 2009, CunningPike wrote:

> On Tue, 2009-02-17 at 10:43 -0800, John Hardin wrote:
>> On Tue, 17 Feb 2009, John Hardin wrote:
>
>> ...and, of course, requests for any FrontPage cruft, or ASP, or
>> ASP.NET, or any of the other SSI stuff I don't support.
>

> There are already snort sigs for the majority of these - perhaps you
> might consider submitting snort logs instead?

...you're assuming I run snort on my production server... :)

And wouldn't snort only log _already known_ attacks and vulnerabilities?
DShield is, among other things, an attempt to detect _new_ attacks in a
timely manner.

Does DShield even accept snort logs?


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/ <http://www.impsec.org/%7Ejhardin/> 
 jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------

  Look at the people at the top of both efforts. Linus Torvalds is a
  university graduate with a CS degree. Bill Gates is a university
  dropout who bragged about dumpster-diving and using other peoples'
  garbage code as the basis for his code. Maybe that has something to
  do with the difference in quality/security between Linux and
  Windows.                           -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------

 4 days until George Washington's 277th Birthday
_______________________________________________
Dshield mailing list
Dshield at lists.sans.org
To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090426/365dea42/attachment.htm

More information about the Dshield mailing list