[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?

Ryan Barnett ryan.barnett at owasp.org
Fri Apr 10 17:12:34 UTC 2015


Anyone have any feedback?  The list is awefully quiteŠ so I am not sure if
this is reaching everyone.

We want to figure how how to release info to the community.  As an example ­
just yesterday I was looking at events in the central logging host and I saw
what appeared to be a new ShellShock worm.  Then today, I see this blog post
- http://www.volexity.com/blog/?p=118.  They beat us to it :(  This was the
exact traffic I was seeing in our central logging host but we didn't get
info out fast enough.

If anyone has ideas about the best methods/processes to use, please speak
up.

Cheers,
Ryan

From:  Ryan Barnett <ryan.barnett at owasp.org>
Date:  Wednesday, April 8, 2015 at 1:20 PM
To:  <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>
Cc:  Jim Manico <jim.manico at owasp.org>
Subject:  How to Release Data to the Community?

> Hello everyone,
> As I am starting to look through the central logging Console host at the data
> we are receiving, I am struck with our next issueŠ  Which is out to release
> information.   I can easily do this -
> https://twitter.com/OwaspHoneypots/status/585147356410155009 - but that seems
> incomplete and not of much actionable intel.   I wanted to start up a
> discussion around different options for providing data back to the community
> around this project.  I see a number of options ­
> 1. Periodic ³Status Reports² - these could be based on standard time intervals
> such as Quarterly reports, etcŠ  This could include intresting statistics of
> the captured data such as top attacker sources, tools used, vulns targeted.
> 2. ³Emerging Attack² Reports ­ these would be released on-demand if we spot
> new, interesting attacks.
> 3. Deep-analysis Reports ­ that could look deeper into correlating data ­
> perhaps taking a look at distributed brute force scanning efforts or botnet
> activity, etcŠ
> These are just some ideas of possible reporting options.  Another topic would
> be what technology to best use to distribute the data?  I see a number of
> options -
> 1. We can certainly post files to the OWASP project page.
> 2. We can also send out data here on the mail-list.
> 3. We can also send out alerts through the Twitter account
> (https://twitter.com/OwaspHoneypots).
> 4. I would also like to look into possibly having access to the OWASP blog
> (http://owasp.blogspot.com/) to post content.  I envision something simialr to
> the SANS Internet Storm Center Handler Diary
> (https://isc.sans.edu/diaryarchive.html) where we can post stories.
> 5. I also created this GitHub Repo -
> https://github.com/SpiderLabs/owasp-distributed-web-honeypots.  This may also
> be a good location for us to upload sanitized (meaning we REDACT the honeypot
> hostname/IP data) ModSecurity audit event data (which you can download from
> the central logging host).  This could become an outstanding repository of
> real-world web attack data intelligence that community users could leverage.
> These are just some ideas and I would love feedback.
> 
> Thanks,
> Ryan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150410/df0b1245/attachment.html>


More information about the Owasp_wasc_distributed_web_honeypots_project mailing list