The Web Application Security Consortium

Distributed Open Proxy Honeypots

This version was saved 15 years, 8 months ago View current version Page history

Saved by
on February 11, 2010 at 6:40:45 am

Quick Links

Quick Links
Project Overview
Project Status
Project Leader
Project Contributors
Project Sponsors
Frequently Asked Questions (FAQ)
How to Participate
Current Threat Reports
1. Weekly Stat Reports
2. Events of Interest
Previous Threat Reports
Project In The News
1. Phase III
2. Phase II
Related Projects and Recommended Reading

Project Overview

From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.

So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?

This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.

Project Status

Phase III has begun. We started deploying sensors on July 27th.

Project Leader

If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com).

Project Contributors

Robert Auger Michael Menefee Bill Pennington William Salusky Nick Malecky Kurt Grutzmacher Matt Nelson

Daniel Cuthbert Mike Schiffman Chris Luhman Mike Klingler Andrew Lamb Anton Chuvakin Jasper Wonnick

Pete LeMay Raffael Marty Aaron Weaver Dan Azzariti Amachai Shulman Jeremiah Grossman Rafael Dreher

Rodrigo Montoro Ralph Thomas Michael Renzmann Mike Eynon Michele Orru' Ivan Ristic Spiros Antonatos

Thorsten Holz Trey Ford Peter Guerra Laura Mather Craig Valli Erwin Geirnaert Albert Gonzalez

Sandeep D. Andre Protas Sebastien Gioria Time McGuire Travis Schack Sutapa Dey Sebastien Garcia

Mark Angel Bogdan Calin Roman Medina-Heigl Hernandez Fabio Sam Stover Stan Scalsky Garth Somerville

Prince Kholi Apurv Singh Mark Ryan del Moral Talabis Tomasz Sawiak Mike Shinn Michael Miller Scott Scheferman

Laurent Oudot Bjoern Weiland Brian Rectanus Michael Condon Billly Rios Robert Hansen

Project Sponsors

The central log host and development of the VMware honeypot images were provided by Breach Security Labs.

Frequently Asked Questions (FAQ)

To find out more information about the project - please see the FAQ

How to Participate

There are two ways to participate:

Deploy a honeypot sensor

You can participate by deploying the WASC Open Proxy Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image. You will need to have the free version of VMware player or Server. If you would like to deploy a honeypot sensor, include the following details in your email to the project leader:

Sensor Point of Contact (POC) name
Source IP address that the logs will be coming from
Geographic location (Country, State, Locality)
Network Block Owner

The Project Leader will send back an email with instructions for downloading the VMware honeypot image data and the OS root credentials. The VMware host is configured with dhcp, so after you login, verify that the host has successfully obtained an IP address. The Project Leader will also provide you with the ModSecurity log agent credentials you will need to authenticate when sending your log data. ModSecurity uses a C program called mlogc located in the /usr/local/apache/conf/ directory. This program will take the data generated by the ModSecurity concurrent audit log and uses HTTP PUT requests to upload the individual audit_log files to the central console host. Each WASC honeypot sensor will have a unique username/password combination. The file that you will need to update is /opt/wasc-honeypot/etc/mlogc.conf. The final step is to start up the apache web server - /etc/init.d/wasc-honeypot-ctl.sh start. You should then review the log files to ensure that they everything is working properly.

Data analysis

Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic. We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants. The MMA has built in searching and reporting functions that may be used for batch analysis. We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.