Glastopf
Description
Glastopf is a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications. The principle behind it is very simple: reply to the attack using the response the attacker is expecting from his attempt to exploit the web application.
+--------------------------+
| Attack event |
+-------------+------------+
|
V
+--------------------------+
| Vulnerability emulator |
+-------------+------------+
|
V
+--------------------------+
| Collect data |
+-------------+------------+
|
+-------+-----+
| |
V V
+----------+ +-------------+
| Database | | store files |
+-----+----+ +------+------+
| |
+-------+-----+
|
V
+--------------------------+
| Reply to attacker |
+--------=-----------------+
For more information, I would recommend that you refer to the excellent technical paper here: http://honeynet.org/files/KYT-Glastopf-Final_v1.pdf.
Installation
Prerequisites
Packages
$ sudo apt-get install git subversion python2.7 python-openssl python2.7-dev \ build-essential make
To run the PHP sandbox, you will also need these packages:
$ sudo apt-get install php5-cli php5-dev php5-cgi subversion
evnet module
First you need to install the libev dependency:
$ wget http://dist.schmorp.de/libev/libev-4.18.tar.gz $ tar xzf libev-4.18.tar.gz $ cd libev-4.18/ $ ./configure $ make $ sudo make install
You should now be able to install evnet:
$ git clone git://github.com/rep/evnet.git $ sudo python2.7 setup.py install
pyev
$ cd ~/src/ $ svn checkout http://pyev.googlecode.com/svn/trunk/ pyev $ cd pyev/pyev/ $ sudo python2.7 setup.py install
Installation the PHP sandbox
$ cd ~/src/ $ svn co http://svn.php.net/repository/pecl/apd/trunk apd $ cd apd/ $ phpize $ ./configure $ make $ sudo make install
At the end of your php.ini file (/etc/php5/cli/php.ini), add these lines:
zend_extension = /usr/lib/php5/20090626+lfs/apd.so apd.dumpdir = /tmp/apd apd.statement_tracing = 0
Test that the extension is included by issuing following command:
$ php5-cgi --version
PHP 5.3.6-13ubuntu3.6 with Suhosin-Patch (cgi-fcgi) (built: Feb 11 2012 02:08:18)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
with Advanced PHP Debugger (APD) v1.0.2-dev, , by George Schlossnagle
Install Glatopf and apd_sandbox.php
Now it's time to create the apd_sandbox.php. To do that we will download Glastopf:
$ cd /opt/ $ sudo svn co svn://glastopf.org:9090/glaspot glaspot $ cd glaspot/trunk/sandbox/ $ sudo make
Configuration
The minimal configuration is to set up the IP and port used by Glastopf. Open the configuration file:
$ sudo vim /opt/glaspot/trunk/glastopf.cfg
And adapt depending on your environment:
[webserver] host = 88.191.123.456 port = 80 [hpfeed] enabled = False host = port = 10000 secret = # channels comma separated chan = glastopf.events,glastopf.files ident =
Usage
Start and test the honeypot
Now that everything is configured, it's time to start and test our honeypot. Start it by issuing following commands:
$ cd /opt/glaspot/trunk/ $ sudo python webserver.py
Reporting
Thank you for your comprehension.