[Wasc-honeypots] Next Phase - Here we come!

Cleber Brandao cleber.brandao at locaweb.com.br
Thu Feb 9 12:01:06 EST 2012


Hi
I hope to deploy a new sensor in the next week.

cheers

Cleber Brandao
Information Security Specialist

Locaweb
Líder em Hosting no Brasil e na América Latina em 2010, segundo a IDC

www.locaweb.com.br
Telefone: +55 11 3544-0444
Celular: +55 11 9333-9429




Em 09/02/2012, às 14:27, Alex Kirk escreveu:

> I'm just awaiting hardware before doing so. May be a few weeks yet given data center issues. 
> 
> On Thu, Feb 9, 2012 at 10:38 AM, Ryan Barnett <rcbarnett at gmail.com> wrote:
> Just checking in as no one has replied to this email on the project list…
> 
> Is anyone planning on deploying a Sensor(s)?
> 
> Ryan
> 
> From: Ryan Barnett <rcbarnett at gmail.com>
> Date: Wed, 08 Feb 2012 12:02:12 -0500
> To: <wasc-honeypots at lists.webappsec.org>
> Subject: Next Phase - Here we come!
> 
> Greetings Everyone,
> This has been a long time coming but we are finally ready to start the next phase of our WASC Distributed Web Honeypots Project.  Here is a quick rundown of that current status and next steps.
> 
> ====================
> New Central Logging Hosts
> ====================
> One of the long delays was due to finding a suitable replacement(s) for the old ModSecurity Community Console.  We have since deployed two central logging servers.
> Jwall's ModSecurity AuditConsole - http://jwall.org/web/audit/console/index.jsp.  We deployed Christian's application to a central host here - https://console.modsecurity.org/login.  This is where all of the ModSecurity audit log data from the honeypot sensors will be sent.
> Trustwave's SIEM – https://www.trustwave.com/siem/. The ModSecurity VM sensors are configured to send the short ModSecurity error_log data through local Syslog and then onto the SIEM host.  The web interface is here - https://siem.modsecurity.org/itactics/index.vurl
> If you would like access to either of these logging interfaces, please let me know and I will setup an account for you.  Just let me know a preferred username.  I will then create your account and sent you back the password.  You can then login and change your password.
> 
> If you plan to deploy a Sensor, you should log into the AuditConsole and setup your Sensor with a username/password.  You will then specify these credentials in the mlogc.conf file (steps below).
> 
> ====================
> New Sensor Image
> ====================
> We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and OWASP CRS (v2.3.3).
> You can download the image file (~345 MB) here -
> http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
> 
> OS Login Credentials -
> Username = hpadmin
> Password = hpadmin
> 
> Use "sudo" for root activities.
> 
> Once you are logged in, you should setup your Sensor's mlogc username/password creds so you can send data to the AuditConsole (above).
> 
> Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify the proper username/password you setup in the AuditConsole for your Sensor.  This will then automatically restart all services with the new settings.  When you get traffic to your Sensor, this data should show up in the AuditConsole.
> 
> ====================
> Non-VM Option
> ====================
> If already have an Apache/ModSecurity setup and don't want to have to run a VM, you can simply add the honeypot configs from here - 
> http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
> 
> You should edit your httpd.conf file and add in similar settings -
> 
> ### Configure ModSecurity Configuration and Rules
> # Config
> Include /opt/wasc-honeypot/etc/modsecurity_main.conf
> Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
> # Rules
> Include /opt/wasc-honeypot/etc/honeypot_begin.conf
> Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
> Include /opt/wasc-honeypot/etc/honeypot_end.conf
> 
> Adjust the paths appropriately for your setup.  The concept is to "wrap" the honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your existing ModSecurity/OWASP CRS settings.  These new configs will essentially have your apache server listen on additional ports and update some current CRS rules to automatically download RFI payloads.
> 
> ====================
> Non-Proxying Options
> ====================
> The default operating model for the Apache honeypots is to function as an open proxy.  The honeypot_begin.conf file specifies the "ProxyRequests On" Apache directive.  If you do not want to run your honeypot as an open proxy, simply comment out this line or set it to "ProxyRequests Off".
> 
> 
> ====================
> WASC Honeypots Chat Options
> ====================
> I was thinking that we should setup a LIVE chat for the project somewhere (Skype Channel, Google+ Hangout, etc…) to help facilitate discussions when people are running their sensors, reviewing audit logs, etc..
> 
> Does anyone have a preference for applications/tools to use for the LIVE chat?
> 
> ====================
> WASC Honeypots WebEx Demo
> ====================
> I was also thinking of setting up a LIVE WebEx session sometime soon so we can all get an initial kick-off the next phase and demo all this new stuff.  If you are interested in this idea, please let me know and I will set one up soon.
> 
> If you have any specific questions please let me know.
> 
> Happy Honeypotting!
> 
> --
> Ryan Barnett
> WASC Distributed Web Honeypot Project Leader
> 
> _______________________________________________
> wasc-honeypots mailing list
> wasc-honeypots at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
> 
> 
> 
> 
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at sourcefire.com
> _______________________________________________
> wasc-honeypots mailing list
> wasc-honeypots at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120209/5a79ddbc/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120209/5a79ddbc/attachment.asc>


More information about the wasc-honeypots mailing list