Beta Release

Download the webhoneypot here: Downloads


Welcome to DShield Web Honeypot Project. The overall idea is to build something like DShield (which collects firewall logs) for webapps.
The goal of the project is to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. First of all, we will not just look for "attacks". We look for "probes". If they are malicious or not can only be determined in context.
We will not look for 0-day style or targeted attacks. Maybe we will get lucky and catch one. But in order to detect them, we would need sensors in specific networks. What we are after is more the "background noise".

For a more information please read: What does the honeypot do?

Install Web Honeypot

To install the beta release of the Web Honeypot code, checkout the SVN repository from Google Code.

Detailed installation instructions are available on the main Installation Page.

Package Installation: (Alpha Release)
Debian: Install with the Debian package
Ubuntu: The Debian package works with Ubuntu

Update Web Honeypot

The final stage of the install process is to configure the automatic updates for the Web Honeypot. Some packages do this automatically, however you may be presented with:
Please add the following line to your crontab to enable template updates:

0 0 0 * * *   root /usr/bin/php /opt/webhoneypot/lib/update-client.php

This line allows the system to update templates to allow a range of webapp scanns to be detected on your system.
More information is available on the Update Page.

Web Honeypot Credits

A list of people who have worked on this project is available here.

Web Honeypot FAQ


How does it work?

A:  The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.

Should I run this on my production environment?

A:  That depends on your risk tolerance.  If your organization is willing to approve it, then the program itself is designed so that it can run as a virtual host under apache.  You could assign unused IP addresses to the honeypot virtual host.

Can I run this at home?

A:  Several people already are.  If you can forward port 80 to your honeypot machine, then it will work.


Will the Web Honeypot work on my OS?

A: Currently the Web Honeypot works on Windows (2000 or later) and Linux OS with install packages available for: Debian, Redhat, openSUSE and Mac OSX.

Does it run on Windows/IIS/PHP?

A:  It should with some minor modifications.  IIS does not support the same redirection of all requests that apache does.

Showing Questions 1 - 5 of 18. View more »