[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?

Paolo Luise paolo.luiseit at gmail.com
Sun Apr 12 10:01:20 UTC 2015

Hello All,

I agree with the needs to publish "bulletins" out to the community to give
value to the project, and any report should be released faster enough.

However I think that there should be a review process for guaranteeing the
quality of the publications; for example, I'm not a senior analyst and I'm
building my experience day by day, so I'd appreciate a review from more
experienced analysts before to release a write.

But this will introduce delays to the releases, so what could be a correct

 In my mind it could be useful to define a standard report to be compiled
during the first analysis, which guides through the data gathering process,
and give to all the same shape. The template should not be static and will
evolves thanks to the contribution and experience of the community

In addition, these reports may be managed in a multi-stage fashion: to
allow the report compilation and release to be quick, it could be marked by
dafault as “new – pending review” state. Then, in some days (let's say for
example 7) it could pass to “confirmed” state if nobody in the community
has noted something new to be integrated, or something wrong to be
corrected. In this way there is no need for a defined approver and the
process goes on.

The reports can be released as pages of the owasp project, and be
integrated in a second time with deeper analysis explanation on the blog

 I also find useful the possibility to upload events to the GitHub repo,
since for example I have in my production environment (for what I can't
redirect events to the central project console) some events that are still
not appeared on the honeypot sensors, may be because it seems to be
targeting specifically european (in my case italian) IPs. This events are
indicating a worm that try to exploit the ShellShock vulnerability, and the
scripts that is programmed to download and execute are different from the
one posted on the blog referred by Ryan: they seem (there is a perl and a
php variant) clients for a IRC bot, and have phrases in spanish/portuguese
and romanian. I still have had not time to reverse engineer them deeply,
and if I could upload these events for others, may be somebody have more
time for enjoying with them ;-)


Date: Fri, 10 Apr 2015 13:12:34 -0400
From: Ryan Barnett <ryan.barnett at owasp.org>
To: <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>
Cc: Jim Manico <jim.manico at owasp.org>
Subject: Re: [Owasp_wasc_distributed_web_honeypots_project] How to
        Release Data to the Community?
Message-ID: <D14D7C1D.138CD1%ryan.barnett at owasp.org>
Content-Type: text/plain; charset="iso-8859-1"

Anyone have any feedback?  The list is awefully quite? so I am not sure if
this is reaching everyone.

We want to figure how how to release info to the community.  As an example ?
just yesterday I was looking at events in the central logging host and I saw
what appeared to be a new ShellShock worm.  Then today, I see this blog post
- http://www.volexity.com/blog/?p=118.  They beat us to it :(  This was the
exact traffic I was seeing in our central logging host but we didn't get
info out fast enough.

If anyone has ideas about the best methods/processes to use, please speak


From:  Ryan Barnett <ryan.barnett at owasp.org>
Date:  Wednesday, April 8, 2015 at 1:20 PM
To:  <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>
Cc:  Jim Manico <jim.manico at owasp.org>
Subject:  How to Release Data to the Community?

> Hello everyone,
> As I am starting to look through the central logging Console host at the
> we are receiving, I am struck with our next issue?  Which is out to
> information.   I can easily do this -
> https://twitter.com/OwaspHoneypots/status/585147356410155009 - but that
> incomplete and not of much actionable intel.   I wanted to start up a
> discussion around different options for providing data back to the
> around this project.  I see a number of options ?
> 1. Periodic ?Status Reports? - these could be based on standard time
> such as Quarterly reports, etc?  This could include intresting statistics
> the captured data such as top attacker sources, tools used, vulns
> 2. ?Emerging Attack? Reports ? these would be released on-demand if we
> new, interesting attacks.
> 3. Deep-analysis Reports ? that could look deeper into correlating data ?
> perhaps taking a look at distributed brute force scanning efforts or
> activity, etc?
> These are just some ideas of possible reporting options.  Another topic
> be what technology to best use to distribute the data?  I see a number of
> options -
> 1. We can certainly post files to the OWASP project page.
> 2. We can also send out data here on the mail-list.
> 3. We can also send out alerts through the Twitter account
> (https://twitter.com/OwaspHoneypots).
> 4. I would also like to look into possibly having access to the OWASP blog
> (http://owasp.blogspot.com/) to post content.  I envision something
simialr to
> the SANS Internet Storm Center Handler Diary
> (https://isc.sans.edu/diaryarchive.html) where we can post stories.
> 5. I also created this GitHub Repo -
> https://github.com/SpiderLabs/owasp-distributed-web-honeypots.  This may
> be a good location for us to upload sanitized (meaning we REDACT the
> hostname/IP data) ModSecurity audit event data (which you can download
> the central logging host).  This could become an outstanding repository of
> real-world web attack data intelligence that community users could
> These are just some ideas and I would love feedback.
> Thanks,
> Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150412/7c502d2d/attachment-0001.html>

More information about the Owasp_wasc_distributed_web_honeypots_project mailing list