[Wasc-honeypots] Next Phase - Here we come!

Ryan Barnett rcbarnett at gmail.com
Thu May 24 09:05:29 EDT 2012

Resending this email to the list as we would like to get more sensors
online.  Let me know if you are interested.


From:  Ryan Barnett <rcbarnett at gmail.com>
Date:  Wed, 08 Feb 2012 12:02:12 -0500
To:  <wasc-honeypots at lists.webappsec.org>
Subject:  Next Phase - Here we come!

> Greetings Everyone,
> This has been a long time coming but we are finally ready to start the next
> phase of our WASC Distributed Web Honeypots Project.  Here is a quick rundown
> of that current status and next steps.
> ====================
> New Central Logging Hosts
> ====================
> One of the long delays was due to finding a suitable replacement(s) for the
> old ModSecurity Community Console.  We have since deployed two central logging
> servers.
> 1. Jwall's ModSecurity AuditConsole -
> http://jwall.org/web/audit/console/index.jsp.  We deployed Christian's
> application to a central host here - https://console.modsecurity.org/login.
> This is where all of the ModSecurity audit log data from the honeypot sensors
> will be sent.
> 2. Trustwave's SIEM ­ https://www.trustwave.com/siem/. The ModSecurity VM
> sensors are configured to send the short ModSecurity error_log data through
> local Syslog and then onto the SIEM host.  The web interface is here -
> https://siem.modsecurity.org/itactics/index.vurl
> If you would like access to either of these logging interfaces, please let me
> know and I will setup an account for you.  Just let me know a preferred
> username.  I will then create your account and sent you back the password.
> You can then login and change your password.
> If you plan to deploy a Sensor, you should log into the AuditConsole and setup
> your Sensor with a username/password.  You will then specify these credentials
> in the mlogc.conf file (steps below).
> ====================
> New Sensor Image
> ====================
> We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and
> OWASP CRS (v2.3.3).
> You can download the image file (~345 MB) here -
> http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?forc
> e_download=1
> OS Login Credentials -
> Username = hpadmin
> Password = hpadmin
> Use "sudo" for root activities.
> Once you are logged in, you should setup your Sensor's mlogc username/password
> creds so you can send data to the AuditConsole (above).
> Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
> the proper username/password you setup in the AuditConsole for your Sensor.
> This will then automatically restart all services with the new settings.  When
> you get traffic to your Sensor, this data should show up in the AuditConsole.
> ====================
> Non-VM Option
> ====================
> If already have an Apache/ModSecurity setup and don't want to have to run a
> VM, you can simply add the honeypot configs from here -
> http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.
> gz?force_download=1
> You should edit your httpd.conf file and add in similar settings -
> ### Configure ModSecurity Configuration and Rules
> # Config
> Include /opt/wasc-honeypot/etc/modsecurity_main.conf
> Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
> # Rules
> Include /opt/wasc-honeypot/etc/honeypot_begin.conf
> Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
> Include /opt/wasc-honeypot/etc/honeypot_end.conf
> Adjust the paths appropriately for your setup.  The concept is to "wrap" the
> honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your
> existing ModSecurity/OWASP CRS settings.  These new configs will essentially
> have your apache server listen on additional ports and update some current CRS
> rules to automatically download RFI payloads.
> ====================
> Non-Proxying Options
> ====================
> The default operating model for the Apache honeypots is to function as an open
> proxy.  The honeypot_begin.conf file specifies the "ProxyRequests On" Apache
> directive.  If you do not want to run your honeypot as an open proxy, simply
> comment out this line or set it to "ProxyRequests Off".
> ====================
> WASC Honeypots Chat Options
> ====================
> I was thinking that we should setup a LIVE chat for the project somewhere
> (Skype Channel, Google+ Hangout, etcŠ) to help facilitate discussions when
> people are running their sensors, reviewing audit logs, etc..
> Does anyone have a preference for applications/tools to use for the LIVE chat?
> ====================
> WASC Honeypots WebEx Demo
> ====================
> I was also thinking of setting up a LIVE WebEx session sometime soon so we can
> all get an initial kick-off the next phase and demo all this new stuff.  If
> you are interested in this idea, please let me know and I will set one up
> soon.
> If you have any specific questions please let me know.
> Happy Honeypotting!
> --
> Ryan Barnett
> WASC Distributed Web Honeypot Project Leader

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-honeypots_lists.webappsec.org/attachments/20120524/e48124b7/attachment-0003.html>

More information about the wasc-honeypots mailing list