Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the next
phase of our WASC Distributed Web Honeypots Project. Here is a quick
rundown of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for the
old ModSecurity Community Console. We have since deployed two central
logging servers.
- Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
application to a central host here - https://console.modsecurity.org/login.
This is where all of the ModSecurity audit log data from the honeypot
sensors will be sent. - Trustwave's SIEM https://www.trustwave.com/siem/. The ModSecurity VM
sensors are configured to send the short ModSecurity error_log data through
local Syslog and then onto the SIEM host. The web interface is here -
https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let
me know and I will setup an account for you. Just let me know a preferred
username. I will then create your account and sent you back the password.
You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and
setup your Sensor with a username/password. You will then specify these
credentials in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk)
and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?fo
rce_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc
username/password creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
the proper username/password you setup in the AuditConsole for your Sensor.
This will then automatically restart all services with the new settings.
When you get traffic to your Sensor, this data should show up in the
AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run a
VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.ta
r.gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap" the
honeypot config files (honeypot_begin.conf and honeypot_end.conf) around
your existing ModSecurity/OWASP CRS settings. These new configs will
essentially have your apache server listen on additional ports and update
some current CRS rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an
open proxy. The honeypot_begin.conf file specifies the "ProxyRequests On"
Apache directive. If you do not want to run your honeypot as an open proxy,
simply comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etc) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE
chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we
can all get an initial kick-off the next phase and demo all this new stuff.
If you are interested in this idea, please let me know and I will set one up
soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
Just checking in as no one has replied to this email on the project list
Is anyone planning on deploying a Sensor(s)?
Ryan
From: Ryan Barnett rcbarnett@gmail.com
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: wasc-honeypots@lists.webappsec.org
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the next
phase of our WASC Distributed Web Honeypots Project. Here is a quick rundown
of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for the
old ModSecurity Community Console. We have since deployed two central logging
servers.
- Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
application to a central host here - https://console.modsecurity.org/login.
This is where all of the ModSecurity audit log data from the honeypot sensors
will be sent. - Trustwave's SIEM https://www.trustwave.com/siem/. The ModSecurity VM
sensors are configured to send the short ModSecurity error_log data through
local Syslog and then onto the SIEM host. The web interface is here -
https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let me
know and I will setup an account for you. Just let me know a preferred
username. I will then create your account and sent you back the password.
You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and setup
your Sensor with a username/password. You will then specify these credentials
in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and
OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?forc
e_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc username/password
creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
the proper username/password you setup in the AuditConsole for your Sensor.
This will then automatically restart all services with the new settings. When
you get traffic to your Sensor, this data should show up in the AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run a
VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.
gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap" the
honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your
existing ModSecurity/OWASP CRS settings. These new configs will essentially
have your apache server listen on additional ports and update some current CRS
rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an open
proxy. The honeypot_begin.conf file specifies the "ProxyRequests On" Apache
directive. If you do not want to run your honeypot as an open proxy, simply
comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etc) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we can
all get an initial kick-off the next phase and demo all this new stuff. If
you are interested in this idea, please let me know and I will set one up
soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
I'm just awaiting hardware before doing so. May be a few weeks yet given
data center issues.
On Feb 9, 2012 9:39 AM, "Ryan Barnett" rcbarnett@gmail.com wrote:
Just checking in as no one has replied to this email on the project list…
Is anyone planning on deploying a Sensor(s)?
Ryan
From: Ryan Barnett rcbarnett@gmail.com
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: wasc-honeypots@lists.webappsec.org
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the
next phase of our WASC Distributed Web Honeypots Project. Here is a quick
rundown of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for
the old ModSecurity Community Console. We have since deployed two central
logging servers.
1. Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
application to a central host here -
https://console.modsecurity.org/login. This is where all of the
ModSecurity audit log data from the honeypot sensors will be sent.
2. Trustwave's SIEM – https://www.trustwave.com/siem/. The ModSecurity
VM sensors are configured to send the short ModSecurity error_log data
through local Syslog and then onto the SIEM host. The web interface is
here - https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let
me know and I will setup an account for you. Just let me know a preferred
username. I will then create your account and sent you back the password.
You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and
setup your Sensor with a username/password. You will then specify these
credentials in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk)
and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc
username/password creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then
specify the proper username/password you setup in the AuditConsole for your
Sensor. This will then automatically restart all services with the new
settings. When you get traffic to your Sensor, this data should show up in
the AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run
a VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap"
the honeypot config files (honeypot_begin.conf and honeypot_end.conf)
around your existing ModSecurity/OWASP CRS settings. These new configs
will essentially have your apache server listen on additional ports and
update some current CRS rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an
open proxy. The honeypot_begin.conf file specifies the "ProxyRequests On"
Apache directive. If you do not want to run your honeypot as an open
proxy, simply comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etc…) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE
chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we
can all get an initial kick-off the next phase and demo all this new stuff.
If you are interested in this idea, please let me know and I will set one
up soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
**
wasc-honeypots mailing list
wasc-honeypots@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
I'm downloading the virtual machine now. Hoping to have a functional
sensor by the end of the weekend.
Andre Waite
--
http://www.infosanity.co.uk | http://www.linkedin.com/in/andrewwaite | http://twitter.com/infosanity
On 09/02/12 15:38, Ryan Barnett wrote:
Just checking in as no one has replied to this email on the project
list...
Is anyone planning on deploying a Sensor(s)?
Ryan
From: Ryan Barnett <rcbarnett@gmail.com mailto:rcbarnett@gmail.com>
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: <wasc-honeypots@lists.webappsec.org
mailto:wasc-honeypots@lists.webappsec.org>
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start
the next phase of our WASC Distributed Web Honeypots Project.
Here is a quick rundown of that current status and next steps.
====================
New Central Logging Hosts
====================
One of the long delays was due to finding a suitable
replacement(s) for the old ModSecurity Community Console. We have
since deployed two central logging servers.
1. Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed
Christian's application to a central host here -
https://console.modsecurity.org/login. This is where all of
the ModSecurity audit log data from the honeypot sensors will
be sent.
2. Trustwave's SIEM -- https://www.trustwave.com/siem/. The
ModSecurity VM sensors are configured to send the short
ModSecurity error_log data through local Syslog and then onto
the SIEM host. The web interface is here -
https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces,
please let me know and I will setup an account for you. Just let
me know a preferred username. I will then create your account and
sent you back the password. You can then login and change your
password.
If you plan to deploy a Sensor, you should log into the
AuditConsole and setup your Sensor with a username/password. You
will then specify these credentials in the mlogc.conf file (steps
below).
====================
New Sensor Image
====================
We have a new VM configured with the latest ModSecurity code (v2.7
trunk) and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc
username/password creds so you can send data to the AuditConsole
(above).
Execute - *# /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh* and
then specify the proper username/password you setup in the
AuditConsole for your Sensor. This will then automatically
restart all services with the new settings. When you get traffic
to your Sensor, this data should show up in the AuditConsole.
====================
Non-VM Option
====================
If already have an Apache/ModSecurity setup and don't want to have
to run a VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
### Configure ModSecurity Configuration and Rules
# Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
# Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to
"wrap" the honeypot config files (honeypot_begin.conf and
honeypot_end.conf) around your existing ModSecurity/OWASP CRS
settings. These new configs will essentially have your apache
server listen on additional ports and update some current CRS
rules to automatically download RFI payloads.
====================
Non-Proxying Options
====================
The default operating model for the Apache honeypots is to
function as an open proxy. The honeypot_begin.conf file specifies
the "ProxyRequests On" Apache directive. If you do not want to
run your honeypot as an open proxy, simply comment out this line
or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
====================
I was thinking that we should setup a LIVE chat for the project
somewhere (Skype Channel, Google+ Hangout, etc...) to help
facilitate discussions when people are running their sensors,
reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for
the LIVE chat?
====================
WASC Honeypots WebEx Demo
====================
I was also thinking of setting up a LIVE WebEx session sometime
soon so we can all get an initial kick-off the next phase and demo
all this new stuff. If you are interested in this idea, please
let me know and I will set one up soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
wasc-honeypots mailing list
wasc-honeypots@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
I'm just awaiting hardware before doing so. May be a few weeks yet given
data center issues.
On Thu, Feb 9, 2012 at 10:38 AM, Ryan Barnett rcbarnett@gmail.com wrote:
Just checking in as no one has replied to this email on the project list…
Is anyone planning on deploying a Sensor(s)?
Ryan
From: Ryan Barnett rcbarnett@gmail.com
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: wasc-honeypots@lists.webappsec.org
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the
next phase of our WASC Distributed Web Honeypots Project. Here is a quick
rundown of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for
the old ModSecurity Community Console. We have since deployed two central
logging servers.
1. Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
application to a central host here -
https://console.modsecurity.org/login. This is where all of the
ModSecurity audit log data from the honeypot sensors will be sent.
2. Trustwave's SIEM – https://www.trustwave.com/siem/. The ModSecurity
VM sensors are configured to send the short ModSecurity error_log data
through local Syslog and then onto the SIEM host. The web interface is
here - https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let
me know and I will setup an account for you. Just let me know a preferred
username. I will then create your account and sent you back the password.
You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and
setup your Sensor with a username/password. You will then specify these
credentials in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk)
and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc
username/password creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then
specify the proper username/password you setup in the AuditConsole for your
Sensor. This will then automatically restart all services with the new
settings. When you get traffic to your Sensor, this data should show up in
the AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run
a VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap"
the honeypot config files (honeypot_begin.conf and honeypot_end.conf)
around your existing ModSecurity/OWASP CRS settings. These new configs
will essentially have your apache server listen on additional ports and
update some current CRS rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an
open proxy. The honeypot_begin.conf file specifies the "ProxyRequests On"
Apache directive. If you do not want to run your honeypot as an open
proxy, simply comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etc…) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE
chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we
can all get an initial kick-off the next phase and demo all this new stuff.
If you are interested in this idea, please let me know and I will set one
up soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
**
wasc-honeypots mailing list
wasc-honeypots@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk@sourcefire.com
Hi
I hope to deploy a new sensor in the next week.
cheers
Cleber Brandao
Information Security Specialist
Locaweb
Líder em Hosting no Brasil e na América Latina em 2010, segundo a IDC
www.locaweb.com.br
Telefone: +55 11 3544-0444
Celular: +55 11 9333-9429
Em 09/02/2012, às 14:27, Alex Kirk escreveu:
I'm just awaiting hardware before doing so. May be a few weeks yet given data center issues.
On Thu, Feb 9, 2012 at 10:38 AM, Ryan Barnett rcbarnett@gmail.com wrote:
Just checking in as no one has replied to this email on the project list…
Is anyone planning on deploying a Sensor(s)?
Ryan
From: Ryan Barnett rcbarnett@gmail.com
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: wasc-honeypots@lists.webappsec.org
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the next phase of our WASC Distributed Web Honeypots Project. Here is a quick rundown of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for the old ModSecurity Community Console. We have since deployed two central logging servers.
Jwall's ModSecurity AuditConsole - http://jwall.org/web/audit/console/index.jsp. We deployed Christian's application to a central host here - https://console.modsecurity.org/login. This is where all of the ModSecurity audit log data from the honeypot sensors will be sent.
Trustwave's SIEM – https://www.trustwave.com/siem/. The ModSecurity VM sensors are configured to send the short ModSecurity error_log data through local Syslog and then onto the SIEM host. The web interface is here - https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let me know and I will setup an account for you. Just let me know a preferred username. I will then create your account and sent you back the password. You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and setup your Sensor with a username/password. You will then specify these credentials in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?force_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc username/password creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify the proper username/password you setup in the AuditConsole for your Sensor. This will then automatically restart all services with the new settings. When you get traffic to your Sensor, this data should show up in the AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run a VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap" the honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your existing ModSecurity/OWASP CRS settings. These new configs will essentially have your apache server listen on additional ports and update some current CRS rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an open proxy. The honeypot_begin.conf file specifies the "ProxyRequests On" Apache directive. If you do not want to run your honeypot as an open proxy, simply comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere (Skype Channel, Google+ Hangout, etc…) to help facilitate discussions when people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we can all get an initial kick-off the next phase and demo all this new stuff. If you are interested in this idea, please let me know and I will set one up soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader
wasc-honeypots mailing list
wasc-honeypots@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk@sourcefire.com
wasc-honeypots mailing list
wasc-honeypots@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-honeypots_lists.webappsec.org
Resending this email to the list as we would like to get more sensors
online. Let me know if you are interested.
-Ryan
From: Ryan Barnett rcbarnett@gmail.com
Date: Wed, 08 Feb 2012 12:02:12 -0500
To: wasc-honeypots@lists.webappsec.org
Subject: Next Phase - Here we come!
Greetings Everyone,
This has been a long time coming but we are finally ready to start the next
phase of our WASC Distributed Web Honeypots Project. Here is a quick rundown
of that current status and next steps.
====================
New Central Logging Hosts
One of the long delays was due to finding a suitable replacement(s) for the
old ModSecurity Community Console. We have since deployed two central logging
servers.
- Jwall's ModSecurity AuditConsole -
http://jwall.org/web/audit/console/index.jsp. We deployed Christian's
application to a central host here - https://console.modsecurity.org/login.
This is where all of the ModSecurity audit log data from the honeypot sensors
will be sent. - Trustwave's SIEM https://www.trustwave.com/siem/. The ModSecurity VM
sensors are configured to send the short ModSecurity error_log data through
local Syslog and then onto the SIEM host. The web interface is here -
https://siem.modsecurity.org/itactics/index.vurl
If you would like access to either of these logging interfaces, please let me
know and I will setup an account for you. Just let me know a preferred
username. I will then create your account and sent you back the password.
You can then login and change your password.
If you plan to deploy a Sensor, you should log into the AuditConsole and setup
your Sensor with a username/password. You will then specify these credentials
in the mlogc.conf file (steps below).
====================
New Sensor Image
We have a new VM configured with the latest ModSecurity code (v2.7 trunk) and
OWASP CRS (v2.3.3).
You can download the image file (~345 MB) here -
http://projects.webappsec.org/w/file/fetch/50692158/wasc-honeypot-4v3.zip?forc
e_download=1
OS Login Credentials -
Username = hpadmin
Password = hpadmin
Use "sudo" for root activities.
Once you are logged in, you should setup your Sensor's mlogc username/password
creds so you can send data to the AuditConsole (above).
Execute - # /opt/wasc-honeypot/sbin/wasc-honeypot-config.sh and then specify
the proper username/password you setup in the AuditConsole for your Sensor.
This will then automatically restart all services with the new settings. When
you get traffic to your Sensor, this data should show up in the AuditConsole.
====================
Non-VM Option
If already have an Apache/ModSecurity setup and don't want to have to run a
VM, you can simply add the honeypot configs from here -
http://projects.webappsec.org/w/file/fetch/50717665/wasc_honeypot_configs.tar.
gz?force_download=1
You should edit your httpd.conf file and add in similar settings -
Configure ModSecurity Configuration and Rules
Config
Include /opt/wasc-honeypot/etc/modsecurity_main.conf
Include /opt/wasc-honeypot/etc/crs/modsecurity_crs_10_config.conf
Rules
Include /opt/wasc-honeypot/etc/honeypot_begin.conf
Include /opt/wasc-honeypot/etc/crs/activated_rules/*.conf
Include /opt/wasc-honeypot/etc/honeypot_end.conf
Adjust the paths appropriately for your setup. The concept is to "wrap" the
honeypot config files (honeypot_begin.conf and honeypot_end.conf) around your
existing ModSecurity/OWASP CRS settings. These new configs will essentially
have your apache server listen on additional ports and update some current CRS
rules to automatically download RFI payloads.
====================
Non-Proxying Options
The default operating model for the Apache honeypots is to function as an open
proxy. The honeypot_begin.conf file specifies the "ProxyRequests On" Apache
directive. If you do not want to run your honeypot as an open proxy, simply
comment out this line or set it to "ProxyRequests Off".
====================
WASC Honeypots Chat Options
I was thinking that we should setup a LIVE chat for the project somewhere
(Skype Channel, Google+ Hangout, etc) to help facilitate discussions when
people are running their sensors, reviewing audit logs, etc..
Does anyone have a preference for applications/tools to use for the LIVE chat?
====================
WASC Honeypots WebEx Demo
I was also thinking of setting up a LIVE WebEx session sometime soon so we can
all get an initial kick-off the next phase and demo all this new stuff. If
you are interested in this idea, please let me know and I will set one up
soon.
If you have any specific questions please let me know.
Happy Honeypotting!
--
Ryan Barnett
WASC Distributed Web Honeypot Project Leader