I'm working on an enterprise honeypot framework with an emphasis on internal honeypots that alerts a network administrator as soon as an attacker messes with it. An example would be a fake PHP myadmin page that alerts a security engineer as soon as it receives a POST request
It's closed source but I've finished the architecture for the software and a couple of the services (MySQL, Web, FTP). They are really cool in my opinion. I'm writing this in Java (yuck but great at the same time), so packaging each service as a Jar file makes deployment super super easy.
It's actually been really successful thus far (and really easy to write, only a few hundred lines). I think enterprises need to use more "trickery" in their security systems and I don't think a framework exists for this previously. It is really powerful to know that
if (honeypotTouched){
//critical alert
}
A lot of honeypot software is old and does not send you alerts when something bad happens to it. Most are external facing. I guess a better name for this is "canary". I got the idea my second time sitting through mubix's "Attacker Ghost Stories" talk.
That does sound pretty interesting, though I'm not sure if the enterprise folk would pay for it.
I know on my personal hosts I tend to grep the access logs for requests to /wp-admin, /phpmyadmin, and blacklist IPs that make request to them. I should probably just switch to using fail2ban to do the processing, but I like the notices posted to my internal xmpp server.
Hey I appreciate the response. I'm honestly not sure if they will buy it. If it's cheap enough and portable enough I feel it could be extremely effective in drawing attention from attackers.
If not I guess I'll just open source it and turn it into a con talk =).
It's closed source but I've finished the architecture for the software and a couple of the services (MySQL, Web, FTP). They are really cool in my opinion. I'm writing this in Java (yuck but great at the same time), so packaging each service as a Jar file makes deployment super super easy.
It's actually been really successful thus far (and really easy to write, only a few hundred lines). I think enterprises need to use more "trickery" in their security systems and I don't think a framework exists for this previously. It is really powerful to know that
if (honeypotTouched){ //critical alert }
A lot of honeypot software is old and does not send you alerts when something bad happens to it. Most are external facing. I guess a better name for this is "canary". I got the idea my second time sitting through mubix's "Attacker Ghost Stories" talk.