[Wasc-honeypots] Next Phase - Here we come!

Alex Kirk akirk at sourcefire.com
Thu Feb 9 11:27:37 EST 2012


I'm just awaiting hardware before doing so. May be a few weeks yet given
data center issues.

On Thu, Feb 9, 2012 at 10:38 AM, Ryan Barnett <rcbarnett at gmail.com> wrote:

> Just checking in as no one has replied to this email on the project list…
>
> Is anyone planning on deploying a Sensor(s)?
>
> Ryan
>
> From: Ryan Barnett <rcbarnett at gmail.com>
> Date: Wed, 08 Feb 2012 12:02:12 -0500
> To: <wasc-honeypots at lists.webappsec.org>
> Subject: Next Phase - Here we come!
>
> Greetings Everyone,
> This has been a long time coming but we are finally ready to start the
> next phase of our WASC Distributed Web Honeypots Project.  Here is a quick
> rundown of that current status and next steps.
>
> ====================
> New Central Logging Hosts
> ====================
> One of the long delays was due to finding a suitable replacement(s) for
> the old ModSecurity Community Console.  We have since deployed two central
> logging servers.
>
>    1. Jwall's ModSecurity AuditConsole -
>    http://jwall.org/web/audit/console/index.jsp.  We deployed Christian's
>    application to a central host here -
>    https://console.modsecurity.org/login.  This is where all of the
>    ModSecurity audit log data from the honeypot sensors will be sent.
>    2. Trustwave's SIEM – https://www.trustwave.com/siem/. The ModSecurity
>    VM sensors are configured to send the short ModSecurity error_log data
>    through local Syslog and then onto the SIEM host.  The web interface is
>    here - https://siem.modsecurity.org/itactics/index.vurl
>
> If you would like access to either of these logging interfaces, please let
> me know and I will setup an account for you.  Just let me know a preferred
> username.  I will then create your account and sent you back the password.
>  You can then login and change your password.
>
> If you plan to deploy a Sensor, you should log into the AuditConsole and
> setup your Sensor with a username/password.  You will then specify these
> credentials in the mlogc.conf file (steps below).
>
> ====================
> New Sensor Image
> ====================
> We have a new VM configured with the latest ModSecurity code (v2.7 trunk)
> and OWASP CRS (v2.3.3).
> You can download the image file (~345 MB) here -
>
> http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
>
> OS Login Credentials -
> Username = hpadmin
> Password = hpadmin
>
> Use "sudo" for root activities.
>
> Once you are logged in, you should setup your Sensor's mlogc
> username/password creds so you can send data to the AuditConsole (above).
>
> Execute - *# /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh* and then
> specify the proper username/password you setup in the AuditConsole for your
> Sensor.  This will then automatically restart all services with the new
> settings.  When you get traffic to your Sensor, this data should show up in
> the AuditConsole.
>
> ====================
> Non-VM Option
> ====================
> If already have an Apache/ModSecurity setup and don't want to have to run
> a VM, you can simply add the honeypot configs from here -
>
> http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
>
> You should edit your httpd.conf file and add in similar settings -
>
> ### Configure ModSecurity Configuration and Rules
> # Config
> Include /opt/wasc-honeypot/etc/modsecurity_main.conf
> Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
> # Rules
> Include /opt/wasc-honeypot/etc/honeypot_begin.conf
> Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
> Include /opt/wasc-honeypot/etc/honeypot_end.conf
>
> Adjust the paths appropriately for your setup.  The concept is to "wrap"
> the honeypot config files (honeypot_begin.conf and honeypot_end.conf)
> around your existing ModSecurity/OWASP CRS settings.  These new configs
> will essentially have your apache server listen on additional ports and
> update some current CRS rules to automatically download RFI payloads.
>
> ====================
> Non-Proxying Options
> ====================
> The default operating model for the Apache honeypots is to function as an
> open proxy.  The honeypot_begin.conf file specifies the "ProxyRequests On"
> Apache directive.  If you do not want to run your honeypot as an open
> proxy, simply comment out this line or set it to "ProxyRequests Off".
>
>
> ====================
> WASC Honeypots Chat Options
> ====================
> I was thinking that we should setup a LIVE chat for the project somewhere
> (Skype Channel, Google+ Hangout, etc…) to help facilitate discussions when
> people are running their sensors, reviewing audit logs, etc..
>
> Does anyone have a preference for applications/tools to use for the LIVE
> chat?
>
> ====================
> WASC Honeypots WebEx Demo
> ====================
> I was also thinking of setting up a LIVE WebEx session sometime soon so we
> can all get an initial kick-off the next phase and demo all this new stuff.
>  If you are interested in this idea, please let me know and I will set one
> up soon.
>
> If you have any specific questions please let me know.
>
> Happy Honeypotting!
>
> --
> Ryan Barnett
> WASC Distributed Web Honeypot Project Leader
> **
>
>
> _______________________________________________
> wasc-honeypots mailing list
> wasc-honeypots at lists.webappsec.org
>
> http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
>
>


-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120209/8cc8950d/attachment-0003.html>


More information about the wasc-honeypots mailing list