Honeypot Processors: Hidden Link Processor
When trying to exploit a site, hackers will often scan the contents of the site in search of directories and files that are of interest. Because this activity is done at the source level, the hacker finds every file referenced, whereas when a user views a web site, they can only see the links that are visible according to the HTML. This processor injects a fake link into documents that references a file that looks interesting. The link is injected in such a way that prevents it from being rendered when the browser loads the page. This means that no normal user would ever find/click on the link, but that a scanner or hacker who is looking at the source code likely will.
Table 1: Hidden Link Processor Configuration Parameters
Parameter | Type | Default Value | Description |
|---|---|---|---|
Basic | |||
Processor Enabled | Boolean | True | Whether traffic should be passed through this processor. |
Advanced | |||
Hidden Links | Configurable | Hidden Links | The set of hidden links that can be injected into the site. |
Inject Link Enabled | Boolean | True | Whether to inject the link into HTTP responses. |
Incident: Link Directory Indexing | Boolean | True | The user requested a directory index on one of the fake parent directories of the linked file. |
Incident: Link Directory Spidering | Boolean | True | The user requested a resource inside the fake directory of the linked file. |
Incident: Malicious Resource Request | Boolean | True | The user requested the fake linked resource. |
