While experimenting with various Honeypots, I recognized the lack of an effective Honeypot for attacks against web applications.  While there are some projects like the (discontinued) GHH or the (inflexible) Web Application Honeypot from DShield.org, they did not fit my needs. Eventually, I started to develop the Glastopf Web Honeypot. Glastopf is a minimalistic web server emulator, written in Python. Glastopf collects web application based attack information like remote file inclusions, SQL-inclusions and local file inclusions. Glastopf scans requests for strings like ‘=http://’ or ‘=ftp://’. In case of a match, Glastopft tries to analyze the files in order to respond as close as possible to the attacker’s expectations. It then sends the appropriate response to the attacker, thereby making him believe that he has found a vulnerable server. As the attacker sends a bot, shell or spreader, Glastopf saves the attack attempt for further analysis, even allowing the intrusion of the botnet.
The attack data is stored in a MySQL-database that can be browsed via a web interface. Recently, a very early, stable version of Glastopf was released. The unstable branch has a lot more features, but most of them are lacking some love.
I am planning the unstable code freeze within a week and the new stable release within the next four weeks. The new web interface should be released in the next month.