[Wasc-honeypots] Next Phase - Here we come!

Andrew Waite andrew.waite at infosanity.co.uk
Thu Feb 9 11:07:36 EST 2012


I'm downloading the virtual machine now. Hoping to have a functional 
sensor by the end of the weekend.

Andre Waite

--
http://www.infosanity.co.uk | http://www.linkedin.com/in/andrewwaite | http://twitter.com/infosanity


On 09/02/12 15:38, Ryan Barnett wrote:
> Just checking in as no one has replied to this email on the project 
> list...
>
> Is anyone planning on deploying a Sensor(s)?
>
> Ryan
>
> From: Ryan Barnett <rcbarnett at gmail.com <mailto:rcbarnett at gmail.com>>
> Date: Wed, 08 Feb 2012 12:02:12 -0500
> To: <wasc-honeypots at lists.webappsec.org 
> <mailto:wasc-honeypots at lists.webappsec.org>>
> Subject: Next Phase - Here we come!
>
>     Greetings Everyone,
>     This has been a long time coming but we are finally ready to start
>     the next phase of our WASC Distributed Web Honeypots Project.
>      Here is a quick rundown of that current status and next steps.
>
>     ====================
>     New Central Logging Hosts
>     ====================
>     One of the long delays was due to finding a suitable
>     replacement(s) for the old ModSecurity Community Console.  We have
>     since deployed two central logging servers.
>
>      1. Jwall's ModSecurity AuditConsole -
>         http://jwall.org/web/audit/console/index.jsp.  We deployed
>         Christian's application to a central host here -
>         https://console.modsecurity.org/login.  This is where all of
>         the ModSecurity audit log data from the honeypot sensors will
>         be sent.
>      2. Trustwave's SIEM -- https://www.trustwave.com/siem/. The
>         ModSecurity VM sensors are configured to send the short
>         ModSecurity error_log data through local Syslog and then onto
>         the SIEM host.  The web interface is here -
>         https://siem.modsecurity.org/itactics/index.vurl
>
>     If you would like access to either of these logging interfaces,
>     please let me know and I will setup an account for you.  Just let
>     me know a preferred username.  I will then create your account and
>     sent you back the password.  You can then login and change your
>     password.
>
>     If you plan to deploy a Sensor, you should log into the
>     AuditConsole and setup your Sensor with a username/password.  You
>     will then specify these credentials in the mlogc.conf file (steps
>     below).
>
>     ====================
>     New Sensor Image
>     ====================
>     We have a new VM configured with the latest ModSecurity code (v2.7
>     trunk) and OWASP CRS (v2.3.3).
>     You can download the image file (~345 MB) here -
>     http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
>
>     OS Login Credentials -
>     Username = hpadmin
>     Password = hpadmin
>
>     Use "sudo" for root activities.
>
>     Once you are logged in, you should setup your Sensor's mlogc
>     username/password creds so you can send data to the AuditConsole
>     (above).
>
>     Execute - *# /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh* and
>     then specify the proper username/password you setup in the
>     AuditConsole for your Sensor.  This will then automatically
>     restart all services with the new settings.  When you get traffic
>     to your Sensor, this data should show up in the AuditConsole.
>
>     ====================
>     Non-VM Option
>     ====================
>     If already have an Apache/ModSecurity setup and don't want to have
>     to run a VM, you can simply add the honeypot configs from here -
>     http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
>
>     You should edit your httpd.conf file and add in similar settings -
>
>     ### Configure ModSecurity Configuration and Rules
>     # Config
>     Include /opt/wasc-honeypot/etc/modsecurity_main.conf
>     Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
>     # Rules
>     Include /opt/wasc-honeypot/etc/honeypot_begin.conf
>     Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
>     Include /opt/wasc-honeypot/etc/honeypot_end.conf
>
>     Adjust the paths appropriately for your setup.  The concept is to
>     "wrap" the honeypot config files (honeypot_begin.conf and
>     honeypot_end.conf) around your existing ModSecurity/OWASP CRS
>     settings.  These new configs will essentially have your apache
>     server listen on additional ports and update some current CRS
>     rules to automatically download RFI payloads.
>
>     ====================
>     Non-Proxying Options
>     ====================
>     The default operating model for the Apache honeypots is to
>     function as an open proxy.  The honeypot_begin.conf file specifies
>     the "ProxyRequests On" Apache directive.  If you do not want to
>     run your honeypot as an open proxy, simply comment out this line
>     or set it to "ProxyRequests Off".
>
>
>     ====================
>     WASC Honeypots Chat Options
>     ====================
>     I was thinking that we should setup a LIVE chat for the project
>     somewhere (Skype Channel, Google+ Hangout, etc...) to help
>     facilitate discussions when people are running their sensors,
>     reviewing audit logs, etc..
>
>     Does anyone have a preference for applications/tools to use for
>     the LIVE chat?
>
>     ====================
>     WASC Honeypots WebEx Demo
>     ====================
>     I was also thinking of setting up a LIVE WebEx session sometime
>     soon so we can all get an initial kick-off the next phase and demo
>     all this new stuff.  If you are interested in this idea, please
>     let me know and I will set one up soon.
>
>     If you have any specific questions please let me know.
>
>     Happy Honeypotting!
>
>     --
>     Ryan Barnett
>     WASC Distributed Web Honeypot Project Leader
>
>
>
> _______________________________________________
> wasc-honeypots mailing list
> wasc-honeypots at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120209/a451d0ae/attachment-0003.html>


More information about the wasc-honeypots mailing list