HoneyPot? Prolly not...

***tampabay420*** · April 3rd, 2003, 02:16 PM

Hey guys/gals,

> i'm writing a simple application that logs all socket requests on certain ports... i've included the log file it currently creates from port 80 traffic... What other info about the attacker/client would be useful? thank you in advance...

***SirDice*** · April 3rd, 2003, 02:48 PM

Originally posted here by tampabay420
Hey guys/gals,

> i'm writing a simple application that logs all socket requests on certain ports... i've included the log file it currently creates from port 80 traffic... What other info about the attacker/client would be useful? thank you in advance...

How about the (extra) http headers and POST/GET data?

***tampabay420*** · April 3rd, 2003, 03:06 PM

i just took all of that out... as all of that data can be forged quite easily...
i'm really only interested what/where the would-be attacker is doing?
thanks...

***SirDice*** · April 3rd, 2003, 03:08 PM

Originally posted here by tampabay420
i just took all of that out... as all of that data can be forged quite easily...
i'm really only interested what/where the would-be attacker is doing?
thanks...

That's why the headers and the data is important. Most exploits are hidden in this data.

As an example here's a Code Red I captured using nothing more than nc -l -p 80 > codered.txt .

***tampabay420*** · April 3rd, 2003, 03:32 PM

Here is the new Log example

***tampabay420*** · April 3rd, 2003, 03:33 PM

here is a screenshot

i just started this project this morning, so it's Alpha (to say the least

)

***SirDice*** · April 3rd, 2003, 03:52 PM

Originally posted here by tampabay420
here is a screenshot
i just started this project this morning, so it's Alpha (to say the least )

Looks promising. Keep up the good work

Thread: HoneyPot? Prolly not...

Thread Tools

Display

HoneyPot? Prolly not...

Re: HoneyPot? Prolly not...

Posting Permissions