[Dshield] Web honeypot project

John Hardin jhardin at impsec.org
Tue Mar 3 23:25:25 GMT 2009

On Tue, 3 Mar 2009, Irrational Pi wrote:

> how about just sending a destination-mulched Apache error.log for pages
> requested with no corresponding production page.  It gives you the URL
> probed with no additional tools required.  I've been using it happily for
> almost 2 years.

I'd love to do something like that. I wasn't aware dshield was accepting 
*any* apache logs apart from the redalert submission address, which was 
for a specific attack eight years ago...

Johannes, has something been set up to accept apache logs of suspicious 

> On Wed, Feb 18, 2009 at 1:41 PM, John Hardin <jhardin at impsec.org> wrote:
>> On Tue, 17 Feb 2009, CunningPike wrote:
>>> On Tue, 2009-02-17 at 10:43 -0800, John Hardin wrote:
>>>> On Tue, 17 Feb 2009, John Hardin wrote:
>>>> ...and, of course, requests for any FrontPage cruft, or ASP, or
>>>> ASP.NET, or any of the other SSI stuff I don't support.
>>> There are already snort sigs for the majority of these - perhaps you
>>> might consider submitting snort logs instead?
>> ...you're assuming I run snort on my production server... :)
>> And wouldn't snort only log _already known_ attacks and vulnerabilities?
>> DShield is, among other things, an attempt to detect _new_ attacks in a
>> timely manner.
>> Does DShield even accept snort logs?

  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   Failure to plan ahead on someone else's part does not constitute
   an emergency on my part.                 -- David W. Barts in a.s.r
  5 days until Daylight Saving Time begins in U.S. - Spring Forward

More information about the Dshield mailing list