[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?

Ryan Barnett ryan.barnett at owasp.org
Sun Apr 12 14:39:40 UTC 2015


FYI ­ I added some data about the ShellShock Worm to the Git repo here -
https://github.com/SpiderLabs/owasp-distributed-web-honeypots/tree/master/Sh
ellShock-Worm.  A few things to notice ­ I exported a couple ModSecurity
audit events from the central console and sanitized the Honeypot IP/Host
header data.  I also grabbed the reference remote code/files.

I agree that we need to work out some process flows of quickly analyzing
events, generating ³initial² community alerts and then follow-up with deeper
analysis.  We should look to utilize the OWASP blog but I also agree that we
should try and put all report data within our Project page on the OWASP
wiki.  That will help to drive page-views so people will constantly be
checking our pages to new info.

-Ryan

From:  Jon Gorrono <jpgorrono at ucdavis.edu>
Date:  Sunday, April 12, 2015 at 12:26 AM
To:  Ryan Barnett <ryan.barnett at owasp.org>
Cc:  <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>, Jim
Manico <jim.manico at owasp.org>
Subject:  Re: [Owasp_wasc_distributed_web_honeypots_project] How to Release
Data to the Community?

> 
> 
> WRT the reporting content, all three options seem to be orthogonal, with
> different periodicity and depth. +1 to all three :)
> 
> WRT the reporting platform, I would favor 4 (with rss) and 5
> 
> 
> On Wed, Apr 8, 2015 at 10:20 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> Hello everyone,
>> As I am starting to look through the central logging Console host at the data
>> we are receiving, I am struck with our next issueŠ  Which is out to release
>> information.   I can easily do this -
>> https://twitter.com/OwaspHoneypots/status/585147356410155009 - but that seems
>> incomplete and not of much actionable intel.   I wanted to start up a
>> discussion around different options for providing data back to the community
>> around this project.  I see a number of options ­
>> 1. Periodic ³Status Reports² - these could be based on standard time
>> intervals such as Quarterly reports, etcŠ  This could include intresting
>> statistics of the captured data such as top attacker sources, tools used,
>> vulns targeted.
>> 2. ³Emerging Attack² Reports ­ these would be released on-demand if we spot
>> new, interesting attacks.
>> 3. Deep-analysis Reports ­ that could look deeper into correlating data ­
>> perhaps taking a look at distributed brute force scanning efforts or botnet
>> activity, etcŠ
>> These are just some ideas of possible reporting options.  Another topic would
>> be what technology to best use to distribute the data?  I see a number of
>> options -
>> 1. We can certainly post files to the OWASP project page.
>> 2. We can also send out data here on the mail-list.
>> 3. We can also send out alerts through the Twitter account
>> (https://twitter.com/OwaspHoneypots).
>> 4. I would also like to look into possibly having access to the OWASP blog
>> (http://owasp.blogspot.com/) to post content.  I envision something simialr
>> to the SANS Internet Storm Center Handler Diary
>> (https://isc.sans.edu/diaryarchive.html) where we can post stories.
>> 5. I also created this GitHub Repo -
>> https://github.com/SpiderLabs/owasp-distributed-web-honeypots.  This may also
>> be a good location for us to upload sanitized (meaning we REDACT the honeypot
>> hostname/IP data) ModSecurity audit event data (which you can download from
>> the central logging host).  This could become an outstanding repository of
>> real-world web attack data intelligence that community users could leverage.
>> These are just some ideas and I would love feedback.
>> 
>> Thanks,
>> Ryan
>> 
>> _______________________________________________
>> Owasp_wasc_distributed_web_honeypots_project mailing list
>> Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_wasc_distributed_web_honeypots
>> _project
>> 
> 
> 
> 
> -- 
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index
> <http://pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index> }
> http{middleware.ucdavis.edu <http://middleware.ucdavis.edu> }


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150412/24fffac2/attachment.html>


More information about the Owasp_wasc_distributed_web_honeypots_project mailing list