Proactive Detection of Security Incidents 89 Honeypots
Quality of collected data: Good GHH logs details of every request that is received, including HTTP headers. Using these headers, the honeypot automatically attempts to determine if the request is a result of a known reconnaissance query using selected signatures from Google Hack Database. Otherwise it checks if the source is a web spider – GHH can distinguish between several known types of spiders or utilise data from the referrer header to detect unknown ones. The honeypot provides the capability to download malware from remote servers using wget emulation; however, only the PHP Shell emulator uses this feature in the current version. Scalability and performance: Excellent The software is implemented entirely in PHP and run by a HTTP server, therefore there is no problem handling multiple simultaneous HTTP sessions and utilising multiple servers. Most websites emulated by the honeypot are very simple and non-interactive, so the expected performance is very good. Multiple instances of the honeypot can report events to a central server, using XML-RPC for transport. Reliability: Good Each GHH module is run separately, so even if one of them is unstable, it cannot influence others. PHP scripts are executed in the environment of an HTTP server so any errors or warnings are logged using standard mechanisms. This way monitoring of services is greatly simplified. During tests a trivial syntax error was discovered in one of the honeypots that prevented it from running, therefore it may be assumed that the software was not well tested prior to the release. Extensibility: Excellent Adding a new honeypot module is easy – there is relevant documentation available on the project’s website and a fully functional template is provided as a starting point. Basic modules distributed in the current release consist of approximately 30 lines of PHP code, thanks to the functionality provided by the GHH core. Existing source code is brief and comprehensible, so modifying it – if required – should not take much effort. Project uses GPLv2 licence. Ease of use and setting up: Good The GHH installation procedure is well documented and takes little time. In the simplest case, it requires copying of several files, adjusting configuration of GHH logging and placing an invisible link to URLs handled by the honeypot. No special configuration of the operating system or the web server is required (default Apache install was used for tests). All modules may share a single configuration file or use individual ones. However, the configuration is not separated from the source code of GHH, which may be regarded as a shortcoming of the solution. Embeddability: Good GHH can output data to a CSV file, SQL database or to a remote server over XML-RPC but cannot be customised. Malware collection works only with XML-RPC logging. The honeypot