log inhelp

View
 

Distributed Web Honeypots

Page history last edited by Ryan Barnett 1 month ago

  1. Project Overview
  2. Project Status
  3. Project Leader
  4. Project Contributors
  5. Project Sponsors
  6. Keep Track of Distributed Web Honeypot Updates
    1. Twitter Feed
  7. Frequently Asked Questions (FAQ)
  8. How to Participate
  9. Current Threat Reports
    1. Weekly Statistic Report
    2. Events of Interest
  10. Previous Threat Reports
    1. Phase I
    2. Phase II: Web Security Threat Report, Volume 2: November 2007
    3. Web Security Threat Report, Volume 2: November 2007 - Video at WASC/OWASP AppSec Conf (Presented by Ryan Barnett)
  11. Project In The News
    1. Phase III
    2. Phase II
  12. Related Projects and Recommended Reading

 

Project Overview

The goal of the Distributed Web Honeypot (DWH) Project is to identify emerging attacks against web applications and report them to the community.  This may include automated scanning activity, probes, as well as, targeted attacks against specific web sites or applications.  The scope of this project has recently been expanded to include deployment of both standard web application honeypots and/or open proxy honeypots.  Project participants may choose whether they want to run their honeypot as an open proxy or a stand-alone sensor.

 

Project Status

Currently looking for participants.

 

Project Leader

If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com).

 

Project Contributors

 

Robert Auger Michael Menefee Bill Pennington William Salusky Nick Malecky Kurt Grutzmacher Matt Nelson
Daniel Cuthbert Mike Schiffman Chris Luhman Mike Klingler Andrew Lamb Anton Chuvakin Jasper Wonnick
Pete LeMay Raffael Marty Aaron Weaver Dan Azzariti Amachai Shulman Jeremiah Grossman Rafael Dreher
Rodrigo Montoro Ralph Thomas Michael Renzmann Mike Eynon Michele Orru' Ivan Ristic Spiros Antonatos
Thorsten Holz Trey Ford Peter Guerra Laura Mather Craig Valli Erwin Geirnaert Albert Gonzalez
Sandeep D. Andre Protas Sebastien Gioria Time McGuire Travis Schack Sutapa Dey Sebastien Garcia
Mark Angel Bogdan Calin Roman Medina-Heigl Hernandez Fabio Sam Stover Stan Scalsky Garth Somerville
Prince Kholi Apurv Singh Mark Ryan del Moral Talabis Tomasz Sawiak Mike Shinn Michael Miller Scott Scheferman
Laurent Oudot Bjoern Weiland Brian Rectanus Michael Condon Billly Rios Robert Hansen  

 

 

Project Sponsors

The central log hosts and development of the VMware honeypot images were provided by Trustwave's SpiderLabs.

 

 

Keep Track of Distributed Web Honeypot Updates

Twitter Feed

@waschoneypots

 

Twitter / waschoneypots

waschoneypots: [Honeypot Alert] PhpMyAdmin setup.php RFI Attacks Detected - http://t.co/bOqINHNSwaschoneypots: Some typical IRC tunneling attempts - CONNECT irc.austnet.org:6667 HTTP/1.0waschoneypots: New Sensors are coming online. First alerts coming in...waschoneypots: RT @jwallorg: The AuditConsole has become part of the WASC #Honeypot Project http://t.co/tXjaZGDz #modsecuritywaschoneypots: w00t - launching the next phase of the WASC Distributed Web Honeypots Project today - http://t.co/zb7ujXTS < looking for contributorswaschoneypots: Working on the new honeypot VMs :) Gonna relauch the project soon....waschoneypots: Status update - we are working on the new central logging host for the project. We will be launching the next phase soon!waschoneypots: Interesting project - GlastopfNG (web attacks honeypot) http://tinyurl.com/3x5zm9g Might look at adding this to our vm imagewaschoneypots: Announcing expanded project focus and name - Distributed Web Honeypots Project - http://bit.ly/9B6rNt - beyond open proxy honeypotswaschoneypots: RT @ryancbarnett: Spammers using Twitter's Update Status API: Submitted by Ryan Barnett 06/21/2010I was reviewing the logs over at o... ...

 

 

WASC Honeypots Project Mail-list - Sign-up and Archives

 

Frequently Asked Questions (FAQ)

To find out more information about the project - please see the FAQ

 

How to Participate

There are two ways to participate:

 

  1. Deploy a honeypot sensor

You can participate by deploying the WASC Web Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image.  You will need to have the free version of VMware player or Server.  If you would like to deploy a honeypot sensor, include the following details in your email to the project leader:

 

  • Sensor Point of Contact (POC) name
  • Source IP address that the logs will be coming from
  • Geographic location (Country, State, Locality)
  • Network Block Owner

 

The Project Leader will send back an email with instructions for downloading the VMware honeypot image data and the OS root credentials. The VMware host is configured with dhcp, so after you login, verify that the host has successfully obtained an IP address. The Project Leader will also provide you with the ModSecurity log agent credentials you will need to authenticate when sending your log data. ModSecurity uses a C program called mlogc located in the /usr/local/apache/conf/ directory. This program will take the data generated by the ModSecurity concurrent audit log and uses HTTP PUT requests to upload the individual audit_log files to the central console host. Each WASC honeypot sensor will have a unique username/password combination. The file that you will need to update is /opt/wasc-honeypot/etc/mlogc.conf.  The final step is to start up the apache web server - /etc/init.d/wasc-honeypot-ctl.sh start. You should then review the log files to ensure that they everything is working properly.

 

  1. Data analysis

Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic.  We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants.  The MMA has built in searching and reporting functions that may be used for batch analysis.  We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.

 

 

Current Threat Reports

 

Weekly Statistic Report

 

 

Events of Interest

XSS in User-Agent Header

Identifying Request Anomalies

Distributed Brute Force Attacks Against Yahoo

Apache Tomcat Admin Probes

 

Previous Threat Reports

The WASC Distributed Open Proxy Honeypot team will be releasing periodic threat reports of significant activity and trends.

 

Phase I

Web Security Threat Report, Volume 1: January - April 2007

 

 

Phase II: Web Security Threat Report, Volume 2: November 2007

 

 

 

Web Security Threat Report, Volume 2: November 2007 - Video at WASC/OWASP AppSec Conf (Presented by Ryan Barnett)

 

 

 

Project In The News

 

Phase III

WASC Honeypot Opens Up With Open Source

 

 

Phase II

InfoWorld - Malware honeypots wait for '08

TechWorld - Researchers eye open-proxy attacks

 

 

Related Projects and Recommended Reading

 

Comments (0)

You don't have permission to comment on this page.

PDF version