[Wasc-honeypots] New Honeypot Sensor Options

Ryan Barnett rcbarnett at gmail.com
Tue Oct 11 15:10:45 EDT 2011


Greetings everyone,
It has been a looooooong time coming but I am excited to announce that we
will be moving forward with the next phase of the WASC Distributed Web
Honeypots Project!  The main task for us has been to get a new central
logging host setup.  We are not going to use the Trustwave SIEM as our
central host and we have it deployed in one of our DMZ segments and are
setting it up now in order to received external data from sensors.

I have also been updating the VMware honeypot image so that it has the
latest/greatest ModSecurity code, CRS rules, etcŠ

During the course of internal discussion here in Trustwave's SpiderLabs
Research Team, we were discussing possible alternative approaches to
"Deploying a Sensor".  Currently, we only give participants one option:
deploy the VMware image which will be a complete virtual host with
Apache/ModSecurity.  What we came to realize, however, is that the majority
of participants are already running Apache web servers for other purposes.
So we thought ­ why not add in some "sensor" type detection within your
existing Apache setups?  The idea would be to simple add in some Apache
Listen directives -

Listen 8000
Listen 8080
Listen 8888

You would then add in corresponding Apache vhost containers for these ports
and configure the Apache ErrorLog directive to use Syslog -

<VirtualHost *:8000>
DocumentRoot /www/example1-80
ServerName www.example1.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8080>
DocumentRoot /www/example1-8080
ServerName www.example2.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8888>
DocumentRoot /www/example2-80
ServerName www.example3.org
ErrorLog syslog:local7</VirtualHost>

If the website is using ModSecurity/CRS configured in the base server
context, then it will be inherited by these vhost containers.  For port 80,
you could also add in a similar catch-all container at the end of their
vhost setups.

You would then just need to edit the /etc/syslog.conf settings to point the
local7 facility logs to the central SIEM IP address.

This approach is very similar to our original methodology and may be a bit
easier to deploy then having to deal with VMware images and updating.

Before we proceed with this option, I wanted to gauge the list's thoughts on
this approach.  If we made this option available, would you use it?

Please provide feedback as we would like to test this option ASAP.

Thanks,
Ryan Barnett
WASC Distributed Web Honeypot Project Leader







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20111011/52a7ebc1/attachment-0003.html>


More information about the wasc-honeypots mailing list