[Wasc-honeypots] Next Phase - Here we come!

Ryan Barnett rcbarnett at gmail.com
Wed Feb 8 12:02:12 EST 2012

Greetings Everyone,
This has been a long time coming but we are finally ready to start the next
phase of our WASC Distributed Web Honeypots Project.  Here is a quick
rundown of that current status and next steps.

New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for the
old ModSecurity Community Console.  We have since deployed two central
logging servers.
1. Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp.  We deployed Christian's
application to a central host here - https://console.modsecurity.org/login.
This is where all of the ModSecurity audit log data from the honeypot
sensors will be sent.
2. Trustwave's SIEM ­ https://www.trustwave.com/siem/. The ModSecurity VM
sensors are configured to send the short ModSecurity error_log data through
local Syslog and then onto the SIEM host.  The web interface is here -
If you would like access to either of these logging interfaces, please let
me know and I will setup an account for you.  Just let me know a preferred
username.  I will then create your account and sent you back the password.
You can then login and change your password.

If you plan to deploy a Sensor, you should log into the AuditConsole and
setup your Sensor with a username/password.  You will then specify these
credentials in the mlogc.conf file (steps below).

New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk)
and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -

OS Login Credentials -
Username = hpadmin
Password = hpadmin

Use "sudo" for root activities.

Once you are logged in, you should setup your Sensor's mlogc
username/password creds so you can send data to the AuditConsole (above).

Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
the proper username/password you setup in the AuditConsole for your Sensor.
This will then automatically restart all services with the new settings.
When you get traffic to your Sensor, this data should show up in the

Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run a
VM, you can simply add the honeypot configs from here -

You should edit your httpd.conf file and add in similar settings -

### Configure ModSecurity Configuration and Rules
# Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
# Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf

Adjust the paths appropriately for your setup.  The concept is to "wrap" the
honeypot config files (honeypot_begin.conf and honeypot_end.conf) around
your existing ModSecurity/OWASP CRS settings.  These new configs will
essentially have your apache server listen on additional ports and update
some current CRS rules to automatically download RFI payloads.

Non-Proxying Options
The default operating model for the Apache honeypots is to function as an
open proxy.  The honeypot_begin.conf file specifies the "ProxyRequests On"
Apache directive.  If you do not want to run your honeypot as an open proxy,
simply comment out this line or set it to "ProxyRequests Off".

WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etcŠ) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..

Does anyone have a preference for applications/tools to use for the LIVE

WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we
can all get an initial kick-off the next phase and demo all this new stuff.
If you are interested in this idea, please let me know and I will set one up

If you have any specific questions please let me know.

Happy Honeypotting!

Ryan Barnett
WASC Distributed Web Honeypot Project Leader

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120208/0a1c3540/attachment-0003.html>

More information about the wasc-honeypots mailing list