Greetings everyone, It has been a looooooong time coming but I am excited to announce that we will be moving forward with the next phase of the WASC Distributed Web Honeypots Project! The main task for us has been to get a new central logging host setup. We are not going to use the Trustwave SIEM as our central host and we have it deployed in one of our DMZ segments and are setting it up now in order to received external data from sensors. I have also been updating the VMware honeypot image so that it has the latest/greatest ModSecurity code, CRS rules, etcŠ During the course of internal discussion here in Trustwave's SpiderLabs Research Team, we were discussing possible alternative approaches to "Deploying a Sensor". Currently, we only give participants one option: deploy the VMware image which will be a complete virtual host with Apache/ModSecurity. What we came to realize, however, is that the majority of participants are already running Apache web servers for other purposes. So we thought ­ why not add in some "sensor" type detection within your existing Apache setups? The idea would be to simple add in some Apache Listen directives - Listen 8000 Listen 8080 Listen 8888 You would then add in corresponding Apache vhost containers for these ports and configure the Apache ErrorLog directive to use Syslog - <VirtualHost *:8000> DocumentRoot /www/example1-80 ServerName www.example1.com ErrorLog syslog:local7</VirtualHost> <VirtualHost *:8080> DocumentRoot /www/example1-8080 ServerName www.example2.com ErrorLog syslog:local7</VirtualHost> <VirtualHost *:8888> DocumentRoot /www/example2-80 ServerName www.example3.org ErrorLog syslog:local7</VirtualHost> If the website is using ModSecurity/CRS configured in the base server context, then it will be inherited by these vhost containers. For port 80, you could also add in a similar catch-all container at the end of their vhost setups. You would then just need to edit the /etc/syslog.conf settings to point the local7 facility logs to the central SIEM IP address. This approach is very similar to our original methodology and may be a bit easier to deploy then having to deal with VMware images and updating. Before we proceed with this option, I wanted to gauge the list's thoughts on this approach. If we made this option available, would you use it? Please provide feedback as we would like to test this option ASAP. Thanks, Ryan Barnett WASC Distributed Web Honeypot Project Leader

Any comments to this idea? I had 1 person email me directly. If you only want to deploy a VMware Sensor that is fine, just let me know either way. Thanks, Ryan From: Ryan Barnett <rcbarnett@gmail.com> Date: Tue, 11 Oct 2011 15:10:45 -0400 To: <wasc-honeypots@lists.webappsec.org> Subject: New Honeypot Sensor Options > Greetings everyone, > It has been a looooooong time coming but I am excited to announce that we will > be moving forward with the next phase of the WASC Distributed Web Honeypots > Project! The main task for us has been to get a new central logging host > setup. We are not going to use the Trustwave SIEM as our central host and we > have it deployed in one of our DMZ segments and are setting it up now in order > to received external data from sensors. > > I have also been updating the VMware honeypot image so that it has the > latest/greatest ModSecurity code, CRS rules, etcŠ > > During the course of internal discussion here in Trustwave's SpiderLabs > Research Team, we were discussing possible alternative approaches to > "Deploying a Sensor". Currently, we only give participants one option: deploy > the VMware image which will be a complete virtual host with > Apache/ModSecurity. What we came to realize, however, is that the majority of > participants are already running Apache web servers for other purposes. So we > thought ­ why not add in some "sensor" type detection within your existing > Apache setups? The idea would be to simple add in some Apache Listen > directives - > > Listen 8000 > Listen 8080 > Listen 8888 > > You would then add in corresponding Apache vhost containers for these ports > and configure the Apache ErrorLog directive to use Syslog - > > <VirtualHost *:8000> > DocumentRoot /www/example1-80 > ServerName www.example1.com > ErrorLog syslog:local7</VirtualHost> > > <VirtualHost *:8080> > DocumentRoot /www/example1-8080 > ServerName www.example2.com > ErrorLog syslog:local7</VirtualHost> > > <VirtualHost *:8888> > DocumentRoot /www/example2-80 > ServerName www.example3.org > ErrorLog syslog:local7</VirtualHost> > > If the website is using ModSecurity/CRS configured in the base server context, > then it will be inherited by these vhost containers. For port 80, you could > also add in a similar catch-all container at the end of their vhost setups. > > You would then just need to edit the /etc/syslog.conf settings to point the > local7 facility logs to the central SIEM IP address. > > This approach is very similar to our original methodology and may be a bit > easier to deploy then having to deal with VMware images and updating. > > Before we proceed with this option, I wanted to gauge the list's thoughts on > this approach. If we made this option available, would you use it? > > Please provide feedback as we would like to test this option ASAP. > > Thanks, > Ryan Barnett > WASC Distributed Web Honeypot Project Leader > > > > >