The Honeynet Project Annual Workshop 2024

Copenhagen, Denmark — May 27th–29th, 2024

Honeypots are invaluable tools for monitoring internet-wide scans, providing insights into the tactics, techniques, and new exploits used by attackers. However, without effectively masquerading as authentic targets to deceive these attackers, we often end up dealing with a multitude of repetitive scans that offer little novel information.

Traditional low-interaction web honeypots rely on a manual and limited method of emulating numerous web applications or vulnerabilities. Enter Galah, an LLM (Large Language Model)-powered web honeypot designed to mimic various applications with a single prompt! This LLM-powered honeypot dynamically crafts relevant (and occasionally foolish) responses, including HTTP headers and body content, to arbitrary HTTP requests, effectively mimicking various web applications.

During this talk, I will share insights gained from Galah’s three-month deployment and attempt to address the following key questions:

1. How do different large language models (LLMs) perform when tasked with analyzing and generating HTTP messages?
2. Does the delivery of authentic-looking HTTP responses enhance attackers’ engagement with the honeypot?