How can I make my own custom honeypots?
To make a custom honeypot, use the template file in the download section of the GHH project page on Sourceforge. This is a template file for a simple honeypot, and will be setup as a dummy vulnerable page as an example. Download the “Custom Honeypot Template” File from a mirror and find template.php file inside. Look for the “Begin Custom Honeypot Section” of the code.
Once the honeypot HTML is echo'd to the attacker, it’s time to determine what means he/she took to find our honeypot. This is done by checking the HTTP_REFERER header sent by the attacker’s browser. If there is no HTTP_REFERER header, the default signatures will identify it.
You can retrieve the HTTP_REFERER header sent by the attacker with the $Attack['referer'] variable. There are two examples in the template. The first searches for the name of the vulnerable target in the HTTP_REFERER string, because popular search engines include the query in the URL of their query results. The second example searches for the Google Hacking Data Base query in the HTTP_REFERER string, which highlight that the attacker most likely found the honeypot using a GHDB signature. Whatever signatures you decide to create, append them to the $Signature array and they will be put in the logs. The two signatures included in the template have examples of this. You should remove or edit the example signatures.
What can I do to view the attack log?
Options for the time being:
What does the log mean? How can I use this information?
There are many valid policy concerns related to honeypots, especially when moving honeypots onto the web. It is important to realize that when you view the log you understand exactly what the entries are indication. The User Manual, available at http://ghh.sourceforge.net is a valuable tool because it details many different aspects of the log and what they indicate.