[Wasc-honeypots] New Honeypot Sensor Options

Ryan Barnett rcbarnett at gmail.com
Thu Oct 13 09:17:42 EDT 2011

Any comments to this idea?  I had 1 person email me directly.  If you only
want to deploy a VMware Sensor that is fine, just let me know either way.


From:  Ryan Barnett <rcbarnett at gmail.com>
Date:  Tue, 11 Oct 2011 15:10:45 -0400
To:  <wasc-honeypots at lists.webappsec.org>
Subject:  New Honeypot Sensor Options

> Greetings everyone,
> It has been a looooooong time coming but I am excited to announce that we will
> be moving forward with the next phase of the WASC Distributed Web Honeypots
> Project!  The main task for us has been to get a new central logging host
> setup.  We are not going to use the Trustwave SIEM as our central host and we
> have it deployed in one of our DMZ segments and are setting it up now in order
> to received external data from sensors.
> I have also been updating the VMware honeypot image so that it has the
> latest/greatest ModSecurity code, CRS rules, etcŠ
> During the course of internal discussion here in Trustwave's SpiderLabs
> Research Team, we were discussing possible alternative approaches to
> "Deploying a Sensor".  Currently, we only give participants one option: deploy
> the VMware image which will be a complete virtual host with
> Apache/ModSecurity.  What we came to realize, however, is that the majority of
> participants are already running Apache web servers for other purposes.  So we
> thought ­ why not add in some "sensor" type detection within your existing
> Apache setups?  The idea would be to simple add in some Apache Listen
> directives -
> Listen 8000
> Listen 8080
> Listen 8888
> You would then add in corresponding Apache vhost containers for these ports
> and configure the Apache ErrorLog directive to use Syslog -
> <VirtualHost *:8000>
> DocumentRoot /www/example1-80
> ServerName www.example1.com
> ErrorLog syslog:local7</VirtualHost>
> <VirtualHost *:8080>
> DocumentRoot /www/example1-8080
> ServerName www.example2.com
> ErrorLog syslog:local7</VirtualHost>
> <VirtualHost *:8888>
> DocumentRoot /www/example2-80
> ServerName www.example3.org
> ErrorLog syslog:local7</VirtualHost>
> If the website is using ModSecurity/CRS configured in the base server context,
> then it will be inherited by these vhost containers.  For port 80, you could
> also add in a similar catch-all container at the end of their vhost setups.
> You would then just need to edit the /etc/syslog.conf settings to point the
> local7 facility logs to the central SIEM IP address.
> This approach is very similar to our original methodology and may be a bit
> easier to deploy then having to deal with VMware images and updating.
> Before we proceed with this option, I wanted to gauge the list's thoughts on
> this approach.  If we made this option available, would you use it?
> Please provide feedback as we would like to test this option ASAP.
> Thanks,
> Ryan Barnett
> WASC Distributed Web Honeypot Project Leader

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20111013/036aaa3c/attachment-0003.html>

More information about the wasc-honeypots mailing list