[Dshield] Web honeypot project
John Hardin
jhardin at impsec.org
Tue Feb 17 18:43:54 GMT 2009
On Tue, 17 Feb 2009, John Hardin wrote:
> On Tue, 17 Feb 2009, Johannes B. Ullrich wrote:
>
>> If you filer too tightly, then you will only send us a biased view of
>> the attacks you see. For example, I consider a script one of our
>> handlers (Robert Danford) wrote which collects PHP file inclusion
>> attempts. It works very well to identify malware URLs spreading via file
>> inclusion, but it totally misses other attacks.
>
> There's a limit to the resources I can devote to a featureful honeypot,
> and I don't run PHP on my production web server. What I was thinking was
> shipping logs of any request for any .php file from my production server.
> That I can do quite easily. Is that too filtered to be useful?
...and, of course, requests for any FrontPage cruft, or ASP, or ASP.NET,
or any of the other SSI stuff I don't support.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The first time I saw a bagpipe, I thought the player was torturing
an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
5 days until George Washington's 277th Birthday
More information about the Dshield
mailing list