You have developer type questions, we have developer type answers. Here are some more advanced aspects of GHH and how it serves your needs:

How can I make my own custom honeypots?
Custom honeypots allow you, the developer, to craft your own honeypots to your own specifications. By default, at this point in time, GHH supports honeypots which end in *.php only. Creating your own honeypots allows you to have a jump on attackers by implementing honeypots which are not widely known.

To make a custom honeypot, use the template file in the download section of the GHH project page on Sourceforge. This is a template file for a simple honeypot, and will be setup as a dummy vulnerable page as an example. Download the “Custom Honeypot Template” File from a mirror and find template.php file inside. Look for the “Begin Custom Honeypot Section” of the code.

The first task is to change the $HoneypotName variable to reflect the name of your honeypot. This will appear in the logs when your honeypot is visited over the web. The next line is an echo statement; this outputs the source HTML of the honeypot. Template.php uses PHP Shell 1.7 as an example. To customize file replace the source found in the echo code with the source another vulnerable web application.

Once the honeypot HTML is echo'd to the attacker, it’s time to determine what means he/she took to find our honeypot. This is done by checking the HTTP_REFERER header sent by the attacker’s browser. If there is no HTTP_REFERER header, the default signatures will identify it.

You can retrieve the HTTP_REFERER header sent by the attacker with the $Attack['referer'] variable. There are two examples in the template. The first searches for the name of the vulnerable target in the HTTP_REFERER string, because popular search engines include the query in the URL of their query results. The second example searches for the Google Hacking Data Base query in the HTTP_REFERER string, which highlight that the attacker most likely found the honeypot using a GHDB signature. Whatever signatures you decide to create, append them to the $Signature[] array and they will be put in the logs. The two signatures included in the template have examples of this. You should remove or edit the example signatures.

What can I do to view the attack log?
There will be a sample log viewer on the Download page <> to provide a front-end to the log file. This feature is being worked on currently and is not available at relese. It is not recommend to use this viewer if you have the resources available to parse the logs another way. The reason the sample viewer is not recommend is because it needs to be placed on the web.

Options for the time being:

What does the log mean? How can I use this information?
Our number one priority is to serve as a research tool which can be used to develop security policy. All security policies derived from GHH logs should be carefully scrutinized because false positives are possible in all honeypots and GHH is no exception. Contact the GHH team if you have queries related to honeypot policy.

There are many valid policy concerns related to honeypots, especially when moving honeypots onto the web. It is important to realize that when you view the log you understand exactly what the entries are indication. The User Manual, available at is a valuable tool because it details many different aspects of the log and what they indicate.