Using Honeypots to Study Web-based Attacks
The Internet Storm Center has an interesting entry on how to use honeypots to capture attacks against web-applications: "Roundcube Webmail follow-up":
Basically they first observe the scanning/exploitation attempts against the Roundcube html2text.php vulnerability and then set up a second-stage honeypot that responds to these scanning attempts, offering more bait for the attacker. This is a good example how honeypots work and it also helps them to observe the actual infection of a vulnerable system.
A fermented honeypot is one that has been set up based on exploit attempts identified by a first stage honeypot. What happens is that the attacker(s) get all sticky in the original honeypot and when they come back for more sweetness, they get the fermented honeypot too. Now, along with getting all sticky in the first honeypot, they get all drunk on excitement in the fermented honeypot. [...] Development of a fermented honeypot is not without effort. There is no typical Win32 click-n-create nonsense. A fermented honeypot must be specifically crafted to correctly emulate the focused attack. The author, or 'brew master', is well capable of taking a traditional honeypot and fermenting it accordingly.
Basically they first observe the scanning/exploitation attempts against the Roundcube html2text.php vulnerability and then set up a second-stage honeypot that responds to these scanning attempts, offering more bait for the attacker. This is a good example how honeypots work and it also helps them to observe the actual infection of a vulnerable system.
