WebLabyrinth - A simple tool that creates a maze of bogus web pages to
confuse web scanners. It's main goal is to delay and occupy malicious
scanners that scan websites in order for incident handlers to detected
and respond to them before damage is done.
WebLabyrinth code Copyright (c) 2010, Ben Jackson and Mayhemic Labs -
firstname.lastname@example.org. All rights reserved.
Dissociated Press functions based off of David Pascoe-Deslauriers'
<email@example.com> dissociatedpress class. Copyright 2000-2009
David Pascoe-Deslauriers. All rights reserved.
Original Dissociated Press code available at
* PHP sqlite extension
* PHP mail() support
SETUP AND CONFIGURATION
Configuration is broken up into two parts, setting up the web
application, and configuring the database. First, copy all the files in
a web accessible directory and edit the config.inc.php to reflect the
directory name. If you installed it as /labyrinth, it should be all set.
Next, you also need to create a .htaccess file in the same directory
as the installation. There is an example in EXAMPLE.htaccess, built
with theassumption that you have WebLabyrinth installed in a web path
called /labyrinth and the index.php file has not been renamed. The only two
variables in the .htaccess that should ever need to be changed is
RewriteBase which should be the web path that WebLabyrinth is installed
in and RewriteRule which is the web path that the main index.php file
Finally, you need to configure the database. This database should be
installed in a non web accessible directory. The directory should both
readable and writeable by the Apache user. The SQL script to create the
database is labyrinth.sql. The following commands do this on my (Debian)
cat labyrinth.sql | sqlite /opt/weblabyrinth/labyrinth.db
chown -R www-data:www-data /opt/weblabyrinth
Once the database is created, edit the config.inc.php 'tracking_db'
variable to point to your freshly created database.
One of the new features (as of the 0.3 branch) is the ability to generate
alerts if a crawler reaches a certain level. The two ways weblabyrinth can
do this is by generating an e-mail or by generating text that an IDS system
can trigger on. All of these options are controlled in the config.inc.php
file. If you use snort, the following rule should generate an alert if the
word used by default is found.
alert tcp any 80 -> any any (content:"honorificabilitudinitatibus"; msg: "WebLabyrinth alert keyword detected";)
By default the system will generate an alert if the crawlers get three
levels deep within the labyrinth. The system will generate the alert maximum
once an hour for an ongoing scan.
NOTE ABOUT APACHE
Please note that you may need to reconfigure apache to allow .htaccess
files to control configuration options. This is done in the apache site's
configuration file (/etc/apache2/sites-available/<your site here>). Below
is an example from my installation on a Debian server:
Options Indexes FollowSymLinks MultiViews
AllowOverride FileInfo Options
allow from all
The "AllowOverride FileInfo Options" is the important bit. Remember to
restart Apache when you're done.