Re: Honeypot webserver question

["Elcesar" <elcesar () elcesar net>]

There's also another project, called Brcontrol with a similar idea, you
set up a fw rule to send certain trafic to userlevel memory, and there
with a program (i.e. snort) you set up a mark in some traffic you
consider to redirect to the honeypot and simply accept the other.

You can read a bit more here and download the code:

http://brcontrol.sourceforge.net/

Cesar


> You may want to take a look at Bait N Switch:
>
> http://baitnswitch.sourceforge.net/
>
> The project was discontinued long ago and the code never was very
> stable, but the ideas still prevail.
>
> JESS
>
> ChayoteMu wrote:
>  > I tried to google info on this question but couldn't find anything
>  > specific to what I'm after so I'm sending this out to the list. Thanks
>  > in advance for any responses.
>  > Question:
>  > Is it possible to run a web server on a honeypot that will serve the
>  > pages and work as a regular server except with the extras of being a
>  > honeypot, ie logging and prevention measures? I'm asking because I had
>  > an idea for a pair of webservers behind an IDS/Firewall. Regular
>  > traffic goes to the primary web server but suspicious traffic gets
>  > dumped onto the honeypot server. This lets false positives view the
>  > site but not have access to any other services (FTP or anything else
>  > on the real server) and gives a good idea of what they'd try to do to
>  > the clean server so you could catch 0-days and such. And if you're
>  > bored you can update the honeyserver semi-regularly to get all the new
>  > goodies on there for attackers to go after (with some changes
>  > obviously). I know you can emulate web servers with various methods
>  > but I'm curious if there's somebody/group doing that now or a tool
>  > anyone knows of for it.
>  >

                               ElCesar