[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?
jim.manico at owasp.org
Fri Apr 10 18:50:13 UTC 2015
I'd love a RSS feed or just auto-posting to an email list. Someway where
it gets pushed to me and others automatically when something pops up
would be awesome.
I am lurking but an stoked you moved WHID and this project to OWASP.
I'll engage more when I have a spare moment. :)
PS: I Actually teach this in class now:
"I do not use or believe in WAF's unless Ryan Barnett is personally
managing my WAF, them I'll super cool with it" - Jim's rule of WAF
On 4/10/15 12:12 PM, Ryan Barnett wrote:
> Anyone have any feedback? The list is awefully quite… so I am not
> sure if this is reaching everyone.
> We want to figure how how to release info to the community. As an
> example – just yesterday I was looking at events in the central
> logging host and I saw what appeared to be a new ShellShock worm.
> Then today, I see this blog post -
> http://www.volexity.com/blog/?p=118. They beat us to it :( This was
> the exact traffic I was seeing in our central logging host but we
> didn't get info out fast enough.
> If anyone has ideas about the best methods/processes to use, please
> speak up.
> From: Ryan Barnett <ryan.barnett at owasp.org
> <mailto:ryan.barnett at owasp.org>>
> Date: Wednesday, April 8, 2015 at 1:20 PM
> To: <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org
> <mailto:Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>>
> Cc: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
> Subject: How to Release Data to the Community?
> Hello everyone,
> As I am starting to look through the central logging Console host
> at the data we are receiving, I am struck with our next issue…
> Which is out to release information. I can easily do this -
> https://twitter.com/OwaspHoneypots/status/585147356410155009 - but
> that seems incomplete and not of much actionable intel. I wanted
> to start up a discussion around different options for providing
> data back to the community around this project. I see a number of
> options –
> 1. Periodic “Status Reports” - these could be based on standard
> time intervals such as Quarterly reports, etc… This could
> include intresting statistics of the captured data such as top
> attacker sources, tools used, vulns targeted.
> 2. “Emerging Attack” Reports – these would be released on-demand
> if we spot new, interesting attacks.
> 3. Deep-analysis Reports – that could look deeper into
> correlating data – perhaps taking a look at distributed brute
> force scanning efforts or botnet activity, etc…
> These are just some ideas of possible reporting options. Another
> topic would be what technology to best use to distribute the data?
> I see a number of options -
> 1. We can certainly post files to the OWASP project page.
> 2. We can also send out data here on the mail-list.
> 3. We can also send out alerts through the Twitter account
> 4. I would also like to look into possibly having access to the
> OWASP blog (http://owasp.blogspot.com/) to post content. I
> envision something simialr to the SANS Internet Storm Center
> Handler Diary (https://isc.sans.edu/diaryarchive.html) where
> we can post stories.
> 5. I also created this GitHub Repo -
> This may also be a good location for us to upload
> sanitized (meaning we REDACT the honeypot hostname/IP data)
> ModSecurity audit event data (which you can download from the
> central logging host). This could become an outstanding
> repository of real-world web attack data intelligence that
> community users could leverage.
> These are just some ideas and I would love feedback.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp_wasc_distributed_web_honeypots_project