WebLabyrinth - A simple tool that creates a maze of bogus web pages to confuse web scanners. It's main goal is to delay and occupy malicious scanners that scan websites in order for incident handlers to detected and respond to them before damage is done.
WebLabyrinth code Copyright (c) 2010, Ben Jackson and Mayhemic Labs - bbj@mayhemiclabs.com. All rights reserved.
Dissociated Press functions based off of David Pascoe-Deslauriers' dpascoed@csiuo.com dissociatedpress class. Copyright 2000-2009 David Pascoe-Deslauriers. All rights reserved.
Original Dissociated Press code available at http://www.csiuo.com/drupal/node/13
PREREQUISITES
SETUP AND CONFIGURATION
Configuration is broken up into two parts, setting up the web application, and configuring the database. First, copy all the files in a web accessible directory and edit the config.inc.php to reflect the directory name. If you installed it as /labyrinth, it should be all set.
Next, you also need to create a .htaccess file in the same directory as the installation. There is an example in EXAMPLE.htaccess, built with theassumption that you have WebLabyrinth installed in a web path called /labyrinth and the index.php file has not been renamed. The only two variables in the .htaccess that should ever need to be changed is RewriteBase which should be the web path that WebLabyrinth is installed in and RewriteRule which is the web path that the main index.php file is located.
Finally, you need to configure the database. This database should be installed in a non web accessible directory. The directory should both readable and writeable by the Apache user. The SQL script to create the database is labyrinth.sql. The following commands do this on my (Debian) system:
mkdir /opt/weblabyrinth/
cat labyrinth.sql | sqlite /opt/weblabyrinth/labyrinth.db
chown -R www-data:www-data /opt/weblabyrinthOnce the database is created, edit the config.inc.php 'tracking_db' variable to point to your freshly created database.
ALERTING
One of the new features (as of the 0.3 branch) is the ability to generate alerts if a crawler reaches a certain level. The two ways weblabyrinth can do this is by generating an e-mail or by generating text that an IDS system can trigger on. All of these options are controlled in the config.inc.php file. If you use snort, the following rule should generate an alert if the word used by default is found.
alert tcp any 80 -> any any (content:"honorificabilitudinitatibus"; msg: "WebLabyrinth alert keyword detected";)
By default the system will generate an alert if the crawlers get three levels deep within the labyrinth. The system will generate the alert maximum once an hour for an ongoing scan.
NOTE ABOUT APACHE
Please note that you may need to reconfigure apache to allow .htaccess
files to control configuration options. This is done in the apache site's
configuration file (/etc/apache2/sites-available/
<Directory /var/www/labyrinth> Options Indexes FollowSymLinks MultiViews AllowOverride FileInfo Options Order allow,deny allow from all
The "AllowOverride FileInfo Options" is the important bit. Remember to restart Apache when you're done.