[Wasc-honeypots] Next Phase - Here we come!
rcbarnett at gmail.com
Thu May 24 09:05:29 EDT 2012
Resending this email to the list as we would like to get more sensors
online. Let me know if you are interested.
From: Ryan Barnett <rcbarnett at gmail.com>
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: <wasc-honeypots at lists.webappsec.org>
Subject: Next Phase - Here we come!
> Greetings Everyone,
> This has been a long time coming but we are finally ready to start the next
> phase of our WASC Distributed Web Honeypots Project. Here is a quick rundown
> of that current status and next steps.
> New Central Logging Hosts
> One of the long delays was due to finding a suitable replacement(s) for the
> old ModSecurity Community Console. We have since deployed two central logging
> 1. Jwall's ModSecurity AuditConsole -
> http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
> application to a central host here - https://console.modsecurity.org/login.
> This is where all of the ModSecurity audit log data from the honeypot sensors
> will be sent.
> 2. Trustwave's SIEM https://www.trustwave.com/siem/. The ModSecurity VM
> sensors are configured to send the short ModSecurity error_log data through
> local Syslog and then onto the SIEM host. The web interface is here -
> If you would like access to either of these logging interfaces, please let me
> know and I will setup an account for you. Just let me know a preferred
> username. I will then create your account and sent you back the password.
> You can then login and change your password.
> If you plan to deploy a Sensor, you should log into the AuditConsole and setup
> your Sensor with a username/password. You will then specify these credentials
> in the mlogc.conf file (steps below).
> New Sensor Image
> We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and
> OWASP CRS (v2.3.3).
> You can download the image file (~345 MB) here -
> OS Login Credentials -
> Username = hpadmin
> Password = hpadmin
> Use "sudo" for root activities.
> Once you are logged in, you should setup your Sensor's mlogc username/password
> creds so you can send data to the AuditConsole (above).
> Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
> the proper username/password you setup in the AuditConsole for your Sensor.
> This will then automatically restart all services with the new settings. When
> you get traffic to your Sensor, this data should show up in the AuditConsole.
> Non-VM Option
> If already have an Apache/ModSecurity setup and don't want to have to run a
> VM, you can simply add the honeypot configs from here -
> You should edit your httpd.conf file and add in similar settings -
> ### Configure ModSecurity Configuration and Rules
> # Config
> Include /opt/wasc-honeypot/etc/modsecurity_main.conf
> Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
> # Rules
> Include /opt/wasc-honeypot/etc/honeypot_begin.conf
> Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
> Include /opt/wasc-honeypot/etc/honeypot_end.conf
> Adjust the paths appropriately for your setup. The concept is to "wrap" the
> honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your
> existing ModSecurity/OWASP CRS settings. These new configs will essentially
> have your apache server listen on additional ports and update some current CRS
> rules to automatically download RFI payloads.
> Non-Proxying Options
> The default operating model for the Apache honeypots is to function as an open
> proxy. The honeypot_begin.conf file specifies the "ProxyRequests On" Apache
> directive. If you do not want to run your honeypot as an open proxy, simply
> comment out this line or set it to "ProxyRequests Off".
> WASC Honeypots Chat Options
> I was thinking that we should setup a LIVE chat for the project somewhere
> (Skype Channel, Google+ Hangout, etc) to help facilitate discussions when
> people are running their sensors, reviewing audit logs, etc..
> Does anyone have a preference for applications/tools to use for the LIVE chat?
> WASC Honeypots WebEx Demo
> I was also thinking of setting up a LIVE WebEx session sometime soon so we can
> all get an initial kick-off the next phase and demo all this new stuff. If
> you are interested in this idea, please let me know and I will set one up
> If you have any specific questions please let me know.
> Happy Honeypotting!
> Ryan Barnett
> WASC Distributed Web Honeypot Project Leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wasc-honeypots