g., if there is a probing attempt or general scanning on the ports). Data will also be collected from the log file of the monitoring tool and from the log of the operating system as well. According to Thomae and Bakos, honeypots also have some distinct advantages for data collection purposes, including the following: Honeypots have no production use, most activity directed at honeypots represents genuine attacks, leading to few, if any, false positives.

Honeypots can capture all activity directed at them, allowing the detection of previously unknown attacks.

Honeypots can capture more attack data than most other intrusion-detection solutions, including (for some kinds of honeypots) shell commands, installed attack software, and even attacker-to-attacker interaction through chat servers or other communication mechanisms (Thomae & Bakos, pp. 1-2).

Honeypots facilitate this type of data analysis if properly administered. For instance, after collecting data from log files, security professionals should analyze it to determine if the honeypot detected any malicious activity; however, because reviewing lengthy log files in an inefficient approach, a program called Nebula will be employed for data analysis purposes. In this regard, Werner (2008) reports that, "Nebula is an intrusion signature generator. It can help securing a network by automatically calculating filter rules from attack traces. In a common setup nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in snort format" (p. 1). The SNORT format is an open source network intrusion prevention and detection system that uses a rule-driven language that features the advantages of signature, protocol and anomaly based inspection methods (What is SNORT?, 2008). According to these security professionals, "With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry" (What is SNORT?, p. 2).

Another advantage of the SNORT format is its speed: "The code was written to be fast. A signature isn't of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds. As more attacks of a kind are submitted, signatures get better and nebula will publish updated revisions" (Werner, p. 2). The signature example below provided by Werner was generated by nebula for FTP downloads during multi-stage attacks:

alert tcp any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1";

content: "cmd / "; offset: 0; depth: 5;

content: " echo open ";...

Feeding it with input from other sources shouldn't be very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. Its code can also be taken as a reference implementation for the client side part of nebula's submission protocol" (p. 3).
Chapter Summary.

This chapter provided an overview and brief description of honeypots and how they can be used to identify potential vulnerabilities in a Web site by collecting attack activity, thereby providing security professionals with the information they need to formulate improved protections and superior barriers to keep "the bad guys out." This chapter also presented a review and discussion of the four steps that will be followed to achieve the proposed study's research goal. A review of the relevant peer-reviewed, scholarly, organizational, and governmental literature concerning these issues is provided in chapter two below.