I’ve been lax in writing up my initial experience with Glastopf. For those new to Glastopf, initially created by Lukas Rist as part of the Google summer of code program in collaboration with the Honeynet Project and Thorsten Holz.
I must admit that I found the installation of Glastopf to be a complete nightmare. Although this is mostly due to my systems lack of some of the Python pre-requisites that I needed to compile from source, which in turn had other unmet pre-requisites, which in turn… you get the idea. But I did manage to get my install complete eventually, and have learnt a few things in the process, so it can’t be all bad.
At this point I also need to thank the guys from the #glastopf irc channel on freenode. The advice and suggestions provided made the job much easier than it could have been, and simplified my initial testing of the system once working.
My Glastopf system has been running a couple of weeks and I’m starting to take a closer look logs being recorded. I’m not entirely sure what I was expecting as a result of the install, I must confess to being a little disappointed so far, but as I’m no expert in the realm of web applications the findings may mean more to those with more insight.
Overall I have logged several scans for various resources, I’m assuming looking for vulnerabilities in installed services. Nothing too unexpected for example scans for Roundcube mail or phpMyAdmin installations.
I have also found some links to inocious, legitimate online resources. Again I am no expert with web attacks (one of my motivations for installing a web honeypot in the first place was to learn more about them), but I am assuming that this was to test the effect of a particular attack vector before providing host systems with malicious URLs in the logs for an unsuccessful attack. If anyone knows I’m wrong, or can provide a better explanation I’d appreciate a heads up.
With this installation the InfoSanity honeytrap environment is slowly expanding to show a wider and more indepth understanding of live attack vectors targetting production systems.
— Andrew Waite
Leave a comment
As said on a tweet. Man get some R&R 🙂 Good research, well done, but seriously get some rest…;)
Trying to clear my to-do list for a quiet holiday period. Not worth the grief from family and friends when I try to finish up a bit of coding in the middle of Christmas dinner 😉 Attempting to actually unplug from the matrix for more than a 24hour period this year.
Hey Andrew, thank you for the feedback! How many hits did you get? A standard Glastopf Sensor should get more than 1k hits per day. Currently it should be mainly remote file inclusion attacks.
Greetings,
Lukas
Hi Lukas,
thanks for the comment. I’m guessing I’ve still got something that isn’t quite right in my setup then, getting nowhere close to 1k hits per day. Back to the drawing board to see where I’ve got an issue…..
Andrew
Hi Andrew,
I’m trying to get glastopf and glastopfng up and running, but some problems in that. Can you share the way you setup the systems?
Regards,
Afraid I don’t run Glastopf any more so can’t help too much. I ran into several problems and issues whilst setting up, likely similar issues that you’re finding now. As I run my sensors in my own time on top of a long work schedule I found I gained a better ROI from other honeypot systems.
I am still really interested in the Glastopf, and think the information that it’s designed to collect holds a definite interest. If you’re struggling with setup I’d suggest jumping into the glastopf irc channel, I got some great and rapid responses from Lukas and the rest of the channel.
Okay, which Honeypot do you recommend then? Dionaea?
I have Kippo, Dionaea, etc running. Do you suggest I stick with Dionaea? I’m running it from the Mercury-dvd you posted once, but I’m thinking on moving to a clean install of it on a separate system.
Any suggestions would be really helpful to me.
Ultimately depends what you’re hoping to gain from running honeypot sensors. I wouldn’t try to dissuade anyone from using Glastopf or any other system, just that I don’t have enough experience with Glastopf to be any help.
I’ve tried running most honeypot systems I’ve been able to get my hands on, and written about most of my experiences here. Each system had a different tact and provides different information.
I’ve scaled my honeypot farm back recently as I was needing to spend less time in my lab. I now just run Dionaea and Kippo, for the most part they just look after themselves with any problems. Plus both systems are actively developed, so when I do find extra time to play with new toys, I can build in some additional functionality to my existing systems without needing to build and learn new frameworks.
As I said first, technology dependes on exactly what you’re looking to gain from the technology. Just about everyone I know that uses honeypot systems use a different selection and configuration to match their needs.
Sorry if that doesn’t help too much, best advice I can give is to dive into everything see what works best for you.
Andrew, what I’m willing to gain is the same as yours “study malware behavior”. I will Install & configure Kippo+Dionaea then just like you.
Is there any tools you use on top of those? For analysis or monitoring or anything you might find useful to tell me about, I will be appreciated.
Thanks for your reply.
Hello,
I was just going through your review and comments and it seems you know quite a lot about honeypots, so I was wondering if you could help me out. I am a year 3 ICT student and my project this semester is constructing a low interaction HoneyNet. I should be able to emulate services and such, however I am not an expert in Python, nor do i know the first thing about it and my deadline is not so far away.
If you could be so kind as to point me to a few useful resources on creating low interaction HoneyNets (HoneyPot) I would much appreciate it.
Thank you.
Hi Sarah,
apologises for the delayed response, got carried away with a trip to London last week for BSides.
If you’re looking at building a honeynet I’d look no further than as a great basis for emulating multiple hosts/services rapidly. Using this as a basis you should be able to then write additional modules to either emulate services not already provided or analysis scripts for generating more useful information from the gathered statistics, hopefully giving you a meaty and real-world project to sink your teeth into for your course.
However, if you’re needing to build a new honeynet from scratch I can’t help too much; personally I leave that side of the projects to people far smarter than I am (I learnt to be humble after failing to improve on Nagios for my own dissertation project). Best advice here would be to read (not cut&paste) the source code from existing honeynets so that you don’t have to invent all the wheels from scratch.
Good luck with you project, if your deadline is close you may need it. Let us know how you get on, and share any new modules/scripts/tools with the community if possible; everyone likes new toys to take for a spin.
Andrew
Thanks for replying back. I asked my supervisor and lucky for me I won’t have to create a honeyNet form scratch. I’ll be using honeyd and change a few scripts here and there. I will start my implementation tomorrow, so I’m hoping everything goes smoothly.
If I do come across something useful I will share it with the community, thanks again.
Sarah
hi,i am interesting with glastopf,but when install I don’t know how to use.so can you give me some advice so that I am more clear with the progress of the glastopf?
Hi Bernard,
Glastopf can be a real pain to get up and running. Thankfully the devs are ultra helpful, jump into the IRC channel and you should get a mountain if assistance.