isc.sans.org announced today the Alpha availability of the DShield Web Honeypot:
“The goal of the Web honeypot project is inline with the original DShield project, the data collected through the sensors feed the Dshield web database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. In addition, we would like to use the honeypot data to measure web attack prevelance and find objective metrics to recommend protective measures. The data collected will also be shared with the research community upon request later this year and be made available in aggregated form via the DShield website.”
Like the classic DShield service, you’ll be able to submit your logs to SANS for further processing and correlation. How does it work? You install the honeypot on a machine (preferably a dedicated machine or a virtual one) which will receive all the garbage on port HTTP(80). Requests will be logged and sent to ISC.
I read the FAQ and found an interesting question: “Is it legal? Their answer is quite fuzzy. I would say that honeypots are legal until you don’t attract the bad guys. Example: if you announce “DiVX for free” on a homepage and catch/log them it’s illegal. On the other hand, if they come by themselves, it’s legal.
Check out the website for more information.