HoneyWeb is a deception based web server like program that can be used as a standalone server or in conjunction with HoneyD http://www.citi.umich.edu/u/provos/honeyd/ to provide request based http header spoofing and page serving. HoneyWed does basic regex comparison to incoming request to determine what associated headers to return. HoneyWeb works in basically two modes "Persistent" and "Non- Persistent". In "Non-persistent" mode HoneyWeb is basically a more intelligent netcat and returns back 200 OK for every request, unless defined otherwise, along with the other associated headers for that type of server. In "Persistent" mode HoneyWeb will remember the IP and always return the same version to the same IP for a specified period of time, in addition it will do basic request comparisons betweeen server families to determine if a 404 should be sent back or not. HoneyWeb does some bogus request checking and sends back server specific error pages on bogus requests. Attack specific pages can be specified to make HoneyWeb appear more real for interactive attackers. SSL support can be provided with the use of stunnel http://www.stunnel.org . HoneyWeb is written in Python and should run on anything with Pyhton 1.5 and better. It has been tested on W2K inaddition to Linux platforms. HoneyWeb does try to follow the HTTP protocol closely returning errors on improper versions and syntax. HoneyWeb logs request specific info into hw-log files in the log directory. In addition, unmatched requests are logged in the newsigs file. Example Configuration from hweb_config.py : generic['.htpasswd'] = [u_serv['unix_1'],200,'attack-pages/htpasswd.txt'] The above example gives an example that will return a 200 and the specified page as well as the server defined as u_serv['unix_1]. The return code and server specified page are optional, if they do not exist a 200 will be returned and the default index page will be returned unless there is an error code. To run HoneyWeb Untar it and cd into the HoneyWeb main directory cd into the scripts directory ./strict-gen.py cd back into the default directory ./HoneyWeb-Server-0.4.py & to run the stand alone version, see HoneyD directions in docs directory for information on using with HoneyD. You may need to make sure your hostname is correct as well as set your IP in the HoneyWeb-Server file unless you want to bind to all IP's. Acknowledgments: I would like to thank Lance Spitzner, Neal Timm and Neils Provos for ideas, suggestions and help in testing. Questions / Comments / Suggestion forward to ktimm@var-log.com