New Honeypot Sensor Options

RB
Ryan Barnett
Tue, Oct 11, 2011 7:10 PM

Greetings everyone,
It has been a looooooong time coming but I am excited to announce that we
will be moving forward with the next phase of the WASC Distributed Web
Honeypots Project!  The main task for us has been to get a new central
logging host setup.  We are not going to use the Trustwave SIEM as our
central host and we have it deployed in one of our DMZ segments and are
setting it up now in order to received external data from sensors.

I have also been updating the VMware honeypot image so that it has the
latest/greatest ModSecurity code, CRS rules, etcŠ

During the course of internal discussion here in Trustwave's SpiderLabs
Research Team, we were discussing possible alternative approaches to
"Deploying a Sensor".  Currently, we only give participants one option:
deploy the VMware image which will be a complete virtual host with
Apache/ModSecurity.  What we came to realize, however, is that the majority
of participants are already running Apache web servers for other purposes.
So we thought ­ why not add in some "sensor" type detection within your
existing Apache setups?  The idea would be to simple add in some Apache
Listen directives -

Listen 8000
Listen 8080
Listen 8888

You would then add in corresponding Apache vhost containers for these ports
and configure the Apache ErrorLog directive to use Syslog -

<VirtualHost *:8000>
DocumentRoot /www/example1-80
ServerName www.example1.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8080>
DocumentRoot /www/example1-8080
ServerName www.example2.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8888>
DocumentRoot /www/example2-80
ServerName www.example3.org
ErrorLog syslog:local7</VirtualHost>

If the website is using ModSecurity/CRS configured in the base server
context, then it will be inherited by these vhost containers.  For port 80,
you could also add in a similar catch-all container at the end of their
vhost setups.

You would then just need to edit the /etc/syslog.conf settings to point the
local7 facility logs to the central SIEM IP address.

This approach is very similar to our original methodology and may be a bit
easier to deploy then having to deal with VMware images and updating.

Before we proceed with this option, I wanted to gauge the list's thoughts on
this approach.  If we made this option available, would you use it?

Please provide feedback as we would like to test this option ASAP.

Thanks,
Ryan Barnett
WASC Distributed Web Honeypot Project Leader

Greetings everyone, It has been a looooooong time coming but I am excited to announce that we will be moving forward with the next phase of the WASC Distributed Web Honeypots Project! The main task for us has been to get a new central logging host setup. We are not going to use the Trustwave SIEM as our central host and we have it deployed in one of our DMZ segments and are setting it up now in order to received external data from sensors. I have also been updating the VMware honeypot image so that it has the latest/greatest ModSecurity code, CRS rules, etcŠ During the course of internal discussion here in Trustwave's SpiderLabs Research Team, we were discussing possible alternative approaches to "Deploying a Sensor". Currently, we only give participants one option: deploy the VMware image which will be a complete virtual host with Apache/ModSecurity. What we came to realize, however, is that the majority of participants are already running Apache web servers for other purposes. So we thought ­ why not add in some "sensor" type detection within your existing Apache setups? The idea would be to simple add in some Apache Listen directives - Listen 8000 Listen 8080 Listen 8888 You would then add in corresponding Apache vhost containers for these ports and configure the Apache ErrorLog directive to use Syslog - <VirtualHost *:8000> DocumentRoot /www/example1-80 ServerName www.example1.com ErrorLog syslog:local7</VirtualHost> <VirtualHost *:8080> DocumentRoot /www/example1-8080 ServerName www.example2.com ErrorLog syslog:local7</VirtualHost> <VirtualHost *:8888> DocumentRoot /www/example2-80 ServerName www.example3.org ErrorLog syslog:local7</VirtualHost> If the website is using ModSecurity/CRS configured in the base server context, then it will be inherited by these vhost containers. For port 80, you could also add in a similar catch-all container at the end of their vhost setups. You would then just need to edit the /etc/syslog.conf settings to point the local7 facility logs to the central SIEM IP address. This approach is very similar to our original methodology and may be a bit easier to deploy then having to deal with VMware images and updating. Before we proceed with this option, I wanted to gauge the list's thoughts on this approach. If we made this option available, would you use it? Please provide feedback as we would like to test this option ASAP. Thanks, Ryan Barnett WASC Distributed Web Honeypot Project Leader
RB
Ryan Barnett
Thu, Oct 13, 2011 1:17 PM

Any comments to this idea?  I had 1 person email me directly.  If you only
want to deploy a VMware Sensor that is fine, just let me know either way.

Thanks,
Ryan

From:  Ryan Barnett rcbarnett@gmail.com
Date:  Tue, 11 Oct 2011 15:10:45 -0400
To:  wasc-honeypots@lists.webappsec.org
Subject:  New Honeypot Sensor Options

Greetings everyone,
It has been a looooooong time coming but I am excited to announce that we will
be moving forward with the next phase of the WASC Distributed Web Honeypots
Project!  The main task for us has been to get a new central logging host
setup.  We are not going to use the Trustwave SIEM as our central host and we
have it deployed in one of our DMZ segments and are setting it up now in order
to received external data from sensors.

I have also been updating the VMware honeypot image so that it has the
latest/greatest ModSecurity code, CRS rules, etcŠ

During the course of internal discussion here in Trustwave's SpiderLabs
Research Team, we were discussing possible alternative approaches to
"Deploying a Sensor".  Currently, we only give participants one option: deploy
the VMware image which will be a complete virtual host with
Apache/ModSecurity.  What we came to realize, however, is that the majority of
participants are already running Apache web servers for other purposes.  So we
thought ­ why not add in some "sensor" type detection within your existing
Apache setups?  The idea would be to simple add in some Apache Listen
directives -

Listen 8000
Listen 8080
Listen 8888

You would then add in corresponding Apache vhost containers for these ports
and configure the Apache ErrorLog directive to use Syslog -

<VirtualHost *:8000>
DocumentRoot /www/example1-80
ServerName www.example1.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8080>
DocumentRoot /www/example1-8080
ServerName www.example2.com
ErrorLog syslog:local7</VirtualHost>

<VirtualHost *:8888>
DocumentRoot /www/example2-80
ServerName www.example3.org
ErrorLog syslog:local7</VirtualHost>

If the website is using ModSecurity/CRS configured in the base server context,
then it will be inherited by these vhost containers.  For port 80, you could
also add in a similar catch-all container at the end of their vhost setups.

You would then just need to edit the /etc/syslog.conf settings to point the
local7 facility logs to the central SIEM IP address.

This approach is very similar to our original methodology and may be a bit
easier to deploy then having to deal with VMware images and updating.

Before we proceed with this option, I wanted to gauge the list's thoughts on
this approach.  If we made this option available, would you use it?

Please provide feedback as we would like to test this option ASAP.

Thanks,
Ryan Barnett
WASC Distributed Web Honeypot Project Leader

Any comments to this idea? I had 1 person email me directly. If you only want to deploy a VMware Sensor that is fine, just let me know either way. Thanks, Ryan From: Ryan Barnett <rcbarnett@gmail.com> Date: Tue, 11 Oct 2011 15:10:45 -0400 To: <wasc-honeypots@lists.webappsec.org> Subject: New Honeypot Sensor Options > Greetings everyone, > It has been a looooooong time coming but I am excited to announce that we will > be moving forward with the next phase of the WASC Distributed Web Honeypots > Project! The main task for us has been to get a new central logging host > setup. We are not going to use the Trustwave SIEM as our central host and we > have it deployed in one of our DMZ segments and are setting it up now in order > to received external data from sensors. > > I have also been updating the VMware honeypot image so that it has the > latest/greatest ModSecurity code, CRS rules, etcŠ > > During the course of internal discussion here in Trustwave's SpiderLabs > Research Team, we were discussing possible alternative approaches to > "Deploying a Sensor". Currently, we only give participants one option: deploy > the VMware image which will be a complete virtual host with > Apache/ModSecurity. What we came to realize, however, is that the majority of > participants are already running Apache web servers for other purposes. So we > thought ­ why not add in some "sensor" type detection within your existing > Apache setups? The idea would be to simple add in some Apache Listen > directives - > > Listen 8000 > Listen 8080 > Listen 8888 > > You would then add in corresponding Apache vhost containers for these ports > and configure the Apache ErrorLog directive to use Syslog - > > <VirtualHost *:8000> > DocumentRoot /www/example1-80 > ServerName www.example1.com > ErrorLog syslog:local7</VirtualHost> > > <VirtualHost *:8080> > DocumentRoot /www/example1-8080 > ServerName www.example2.com > ErrorLog syslog:local7</VirtualHost> > > <VirtualHost *:8888> > DocumentRoot /www/example2-80 > ServerName www.example3.org > ErrorLog syslog:local7</VirtualHost> > > If the website is using ModSecurity/CRS configured in the base server context, > then it will be inherited by these vhost containers. For port 80, you could > also add in a similar catch-all container at the end of their vhost setups. > > You would then just need to edit the /etc/syslog.conf settings to point the > local7 facility logs to the central SIEM IP address. > > This approach is very similar to our original methodology and may be a bit > easier to deploy then having to deal with VMware images and updating. > > Before we proceed with this option, I wanted to gauge the list's thoughts on > this approach. If we made this option available, would you use it? > > Please provide feedback as we would like to test this option ASAP. > > Thanks, > Ryan Barnett > WASC Distributed Web Honeypot Project Leader > > > > >