Home > Honeypot, Web App Security > Starting out with Glastopf

Starting out with Glastopf

2009/12/01 Andrew Waite Leave a comment Go to comments

I’ve been lax in writing up my initial experience with Glastopf. For those new to Glastopf, initially created by Lukas Rist as part of the Google summer of code program in collaboration with the Honeynet Project and Thorsten Holz.

I must admit that I found the installation of Glastopf to be a complete nightmare. Although this is mostly due to my systems lack of some of the Python pre-requisites that I needed to compile from source, which in turn had other unmet pre-requisites, which in turn… you get the idea. But I did manage to get my install complete eventually, and have learnt a few things in the process, so it can’t be all bad.

At this point I also need to thank the guys from the #glastopf irc channel on freenode. The advice and suggestions provided made the job much easier than it could have been, and simplified my initial testing of the system once working.

My Glastopf system has been running a couple of weeks and I’m starting to take a closer look logs being recorded. I’m not entirely sure what I was expecting as a result of the install, I must confess to being a little disappointed so far, but as I’m no expert in the realm of web applications the findings may mean more to those with more insight.

Overall I have logged several scans for various resources, I’m assuming looking for vulnerabilities in installed services. Nothing too unexpected for example scans for Roundcube mail or phpMyAdmin installations.

I have also found some links to inocious, legitimate online resources. Again I am no expert with web attacks (one of my motivations for installing a web honeypot in the first place was to learn more about them), but I am assuming that this was to test the effect of a particular attack vector before providing host systems with malicious URLs in the logs for an unsuccessful attack. If anyone knows I’m wrong, or can provide a better explanation I’d appreciate a heads up.

With this installation the InfoSanity honeytrap environment is slowly expanding to show a wider and more indepth understanding of live attack vectors targetting production systems.

– Andrew Waite

Possibly related posts: (automatically generated)

Categories: Honeypot, Web App Security
  1. lvdeijk
    2009/12/01 at 19:29 | #1
    Reply | Quote

    As said on a tweet. Man get some R&R :) Good research, well done, but seriously get some rest…;)

    • Andrew Waite
      2009/12/01 at 19:33 | #2
      Reply | Quote

      Trying to clear my to-do list for a quiet holiday period. Not worth the grief from family and friends when I try to finish up a bit of coding in the middle of Christmas dinner ;) Attempting to actually unplug from the matrix for more than a 24hour period this year.

  2. Lukas
    2009/12/01 at 21:33 | #3
    Reply | Quote

    Hey Andrew, thank you for the feedback! How many hits did you get? A standard Glastopf Sensor should get more than 1k hits per day. Currently it should be mainly remote file inclusion attacks.

    Greetings,
    Lukas

    • Andrew Waite
      2009/12/02 at 09:25 | #4
      Reply | Quote

      Hi Lukas,

      thanks for the comment. I’m guessing I’ve still got something that isn’t quite right in my setup then, getting nowhere close to 1k hits per day. Back to the drawing board to see where I’ve got an issue…..

      Andrew

  1. 2010/05/28 at 12:26 | #1
    Glastopf – First experiences « Diatel