From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.
So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?
This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.
Project Status
Phase III has begun. We started deploying sensors on July 27th.
Project Leader
If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com).
Project Contributors
Robert Auger
Michael Menefee
Bill Pennington
William Salusky
Nick Malecky
Kurt Grutzmacher
Matt Nelson
Daniel Cuthbert
Mike Schiffman
Chris Luhman
Mike Klingler
Andrew Lamb
Anton Chuvakin
Jasper Wonnick
Pete LeMay
Raffael Marty
Aaron Weaver
Dan Azzariti
Amachai Shulman
Jeremiah Grossman
Rafael Dreher
Rodrigo Montoro
Ralph Thomas
Michael Renzmann
Mike Eynon
Michele Orru'
Ivan Ristic
Spiros Antonatos
Thorsten Holz
Trey Ford
Peter Guerra
Laura Mather
Craig Valli
Erwin Geirnaert
Albert Gonzalez
Sandeep D.
Andre Protas
Sebastien Gioria
Time McGuire
Travis Schack
Sutapa Dey
Sebastien Garcia
Mark Angel
Bogdan Calin
Roman Medina-Heigl Hernandez
Fabio
Sam Stover
Stan Scalsky
Garth Somerville
Prince Kholi
Apurv Singh
Mark Ryan del Moral Talabis
Tomasz Sawiak
Mike Shinn
Michael Miller
Scott Scheferman
Laurent Oudot
Bjoern Weiland
Brian Rectanus
Michael Condon
Billly Rios
Robert Hansen
Project Sponsors
The central log host and development of the VMware honeypot images were provided by Breach Security Labs.
Frequently Asked Questions (FAQ)
To find out more information about the project - please see the FAQ
How to Participate
There are two ways to participate:
Deploy a honeypot sensor
You can participate by deploying the WASC Open Proxy Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image. You will need to have the free version of VMware player or Server. If you would like to deploy a honeypot sensor, include the following details in your email to the project leader:
Sensor Point of Contact (POC) name
Source IP address that the logs will be coming from
Geographic location (Country, State, Locality)
Network Block Owner
The Project Leader will send back an email with instructions for downloading the VMware honeypot image data and the OS root credentials. The VMware host is configured with dhcp, so after you login, verify that the host has successfully obtained an IP address. The Project Leader will also provide you with the ModSecurity log agent credentials you will need to authenticate when sending your log data. ModSecurity uses a C program called mlogc located in the /usr/local/apache/conf/ directory. This program will take the data generated by the ModSecurity concurrent audit log and uses HTTP PUT requests to upload the individual audit_log files to the central console host. Each WASC honeypot sensor will have a unique username/password combination. The file that you will need to update is /opt/wasc-honeypot/etc/mlogc.conf. The final step is to start up the apache web server - /etc/init.d/wasc-honeypot-ctl.sh start. You should then review the log files to ensure that they everything is working properly.
Data analysis
Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic. We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants. The MMA has built in searching and reporting functions that may be used for batch analysis. We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.
Comments (0)
You don't have permission to comment on this page.