[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?

Fabrizio Tivano fabrizio at fuertek.net
Sat Apr 11 08:59:08 UTC 2015

Hi Ryan,

Sorry for the late reply, but in this last week I had just time to
put sensor in operation on a physical appliance directly connected to
a public IP, did not enough time to "reverse engineer"  the sensor,
I mean to understand how exactly it work, maybe could you drop
me some docs links ?

Apologize for off topic preamble :)

Talking about reporting actions, I agree whit your ideas;
looks a good way to start and maybe in the future we could add some
other reports.
Off course the best way to release infos is to posting on the
OWASP project page as well as on the blog, for related discussions;
however before to post informations I think i better to analyze them,
maybe using mailing list. I agree on point 4 and 5.

I would like to have a look at central logging console,
probably I'll have some ideas, could
you please give me access.


2015-04-10 19:12 GMT+02:00 Ryan Barnett <ryan.barnett at owasp.org>:

> Anyone have any feedback?  The list is awefully quite… so I am not sure if
> this is reaching everyone.
> We want to figure how how to release info to the community.  As an example
> – just yesterday I was looking at events in the central logging host and I
> saw what appeared to be a new ShellShock worm.  Then today, I see this blog
> post - http://www.volexity.com/blog/?p=118.  They beat us to it :(  This
> was the exact traffic I was seeing in our central logging host but we
> didn't get info out fast enough.
> If anyone has ideas about the best methods/processes to use, please speak
> up.
> Cheers,
> Ryan
> From: Ryan Barnett <ryan.barnett at owasp.org>
> Date: Wednesday, April 8, 2015 at 1:20 PM
> To: <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>
> Cc: Jim Manico <jim.manico at owasp.org>
> Subject: How to Release Data to the Community?
> Hello everyone,
> As I am starting to look through the central logging Console host at the
> data we are receiving, I am struck with our next issue…  Which is out to
> release information.   I can easily do this -
> https://twitter.com/OwaspHoneypots/status/585147356410155009 - but that
> seems incomplete and not of much actionable intel.   I wanted to start up a
> discussion around different options for providing data back to the
> community around this project.  I see a number of options –
>    1. Periodic “Status Reports” - these could be based on standard time
>    intervals such as Quarterly reports, etc…  This could include intresting
>    statistics of the captured data such as top attacker sources, tools used,
>    vulns targeted.
>    2. “Emerging Attack” Reports – these would be released on-demand if we
>    spot new, interesting attacks.
>    3. Deep-analysis Reports – that could look deeper into correlating
>    data – perhaps taking a look at distributed brute force scanning efforts or
>    botnet activity, etc…
> These are just some ideas of possible reporting options.  Another topic
> would be what technology to best use to distribute the data?  I see a
> number of options -
>    1. We can certainly post files to the OWASP project page.
>    2. We can also send out data here on the mail-list.
>    3. We can also send out alerts through the Twitter account (
>    https://twitter.com/OwaspHoneypots).
>    4. I would also like to look into possibly having access to the OWASP
>    blog (http://owasp.blogspot.com/) to post content.  I envision
>    something simialr to the SANS Internet Storm Center Handler Diary (
>    https://isc.sans.edu/diaryarchive.html) where we can post stories.
>    5. I also created this GitHub Repo -
>    https://github.com/SpiderLabs/owasp-distributed-web-honeypots.  This
>    may also be a good location for us to upload sanitized (meaning we
>    REDACT the honeypot hostname/IP data) ModSecurity audit event data (which
>    you can download from the central logging host).  This could become an
>    outstanding repository of real-world web attack data intelligence that
>    community users could leverage.
> These are just some ideas and I would love feedback.
> Thanks,
> Ryan
> _______________________________________________
> Owasp_wasc_distributed_web_honeypots_project mailing list
> Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_wasc_distributed_web_honeypots_project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150411/7c671e03/attachment.html>

More information about the Owasp_wasc_distributed_web_honeypots_project mailing list