• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Distributed Web Honeypots

Page history last edited by Ryan Barnett 11 years, 4 months ago


Project Overview

The goal of the Distributed Web Honeypot (DWH) Project is to identify emerging attacks against web applications and report them to the community.  This may include automated scanning activity, probes, as well as, targeted attacks against specific web sites or applications.  The scope of this project has recently been expanded to include deployment of both standard web application honeypots and/or open proxy honeypots.  Project participants may choose whether they want to run their honeypot as an open proxy or a stand-alone sensor.


Project Status

Currently looking for participants.


Project Leader

If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com).


Active Project Contributors




Project Sponsors

The central log hosts and development of the VMware honeypot images were provided by Trustwave's SpiderLabs.



Keep Track of Distributed Web Honeypot Updates

Twitter Feed



Loading http://twitter.com/statuses/user_timeline/56785227.rss…



WASC Honeypots Project Mail-list - Sign-up and Archives


Frequently Asked Questions (FAQ)

To find out more information about the project - please see the FAQ


How to Participate

There are two ways to participate:


  1. Deploy a honeypot sensor

You can participate by deploying the WASC Web Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image.  You will need to have the free version of VMware player or Server.  If you would like to deploy a honeypot sensor, include the following details in your email to the project leader:


  • Sensor Point of Contact (POC) name
  • Source IP address that the logs will be coming from
  • Geographic location (Country, State, Locality)
  • Network Block Owner


The Project Leader will send back an email with instructions for downloading the VMware honeypot image data and the OS root credentials. The VMware host is configured with dhcp, so after you login, verify that the host has successfully obtained an IP address. The Project Leader will also provide you with the ModSecurity log agent credentials you will need to authenticate when sending your log data. ModSecurity uses a C program called mlogc located in the /usr/local/apache/conf/ directory. This program will take the data generated by the ModSecurity concurrent audit log and uses HTTP PUT requests to upload the individual audit_log files to the central console host. Each WASC honeypot sensor will have a unique username/password combination. The file that you will need to update is /opt/wasc-honeypot/etc/mlogc.conf.  The final step is to start up the apache web server - /etc/init.d/wasc-honeypot-ctl.sh start. You should then review the log files to ensure that they everything is working properly.


  1. Data analysis

Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic.  We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants.  The MMA has built in searching and reporting functions that may be used for batch analysis.  We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.



Current Threat Reports


Weekly Statistic Report



Events of Interest

XSS in User-Agent Header

Identifying Request Anomalies

Distributed Brute Force Attacks Against Yahoo

Apache Tomcat Admin Probes


Previous Threat Reports

The WASC Distributed Open Proxy Honeypot team will be releasing periodic threat reports of significant activity and trends.


Phase I

Web Security Threat Report, Volume 1: January - April 2007



Phase II: Web Security Threat Report, Volume 2: November 2007




Web Security Threat Report, Volume 2: November 2007 - Video at WASC/OWASP AppSec Conf (Presented by Ryan Barnett)




Project In The News


Phase III

WASC Honeypot Opens Up With Open Source



Phase II

InfoWorld - Malware honeypots wait for '08

TechWorld - Researchers eye open-proxy attacks



Related Projects and Recommended Reading


Comments (0)

You don't have permission to comment on this page.