Hi. I've written tool in Java which does the
following:
- listens on port 80 for incoming Code Red
attacks
- detects the Code Red attack signature and
logs the attacker's IP, the attack URL, and
the timestamp
- periodically (every 100 requests or every 30
minutes, which ever comes first) sends the
logs via SMTP to the email address(es) of your
choice
This is for those daring/curious people who aren't
running a web server (or Snort) already, who feel
like poking port 80/tcp open in their firewall and
forwarding it to a machine running this honeypot.
I've done this on my cable modem and I'm logging about
3 attacks per minute on a single IP address.
I have my program configured to send mail to the
ARIS email address <aris-reportat_private>.
The log format is compatible with the SecurityFocus
ARIS email notification format (
see
http://www.securityfocus.com/templates/archive.pike?end=2001-08-11&list=1&mid=201907&threads=0&start=2001-08-05&fromthread=0
), but the source code I've attached does not send email to
the ARIS email address by default (check with ARIS first,
then uncomment the ARIS recipient line in the source code).
You can use this to send logs to your ISP, to yourself,
to ARIS, to DShield.org (see program comments) or what
have you.
You need to change at least two lines in the source code:
these are the lines which specify your email address and
you SMTP server. If you want to add additional email
recipients, it's a trivial change to the source code.
The Java source file is attached to this email. It
should be safe to open .java source files by default,
but if you're wary of this sort of thing, let me know
and I'll paste the source code into a new message.
Chad Loder
Rapid 7, Inc.
Visit http://www.rapid7.com for the next generation of security products
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 22:10:53 PDT