[Owasp_wasc_distributed_web_honeypots_project] How to Release Data to the Community?

Jim Manico jim.manico at owasp.org
Fri Apr 10 18:50:13 UTC 2015


I'd love a RSS feed or just auto-posting to an email list. Someway where 
it gets pushed to me and others automatically when something pops up 
would be awesome.

I am lurking but an stoked you moved WHID and this project to OWASP. 
I'll engage more when I have a spare moment. :)

ALOHA RYAN,
Jim

PS: I Actually teach this in class now:

"I do not use or believe in WAF's unless Ryan Barnett is personally 
managing my WAF, them I'll super cool with it" - Jim's rule of WAF

On 4/10/15 12:12 PM, Ryan Barnett wrote:
> Anyone have any feedback?  The list is awefully quite… so I am not 
> sure if this is reaching everyone.
>
> We want to figure how how to release info to the community.  As an 
> example – just yesterday I was looking at events in the central 
> logging host and I saw what appeared to be a new ShellShock worm. 
>  Then today, I see this blog post - 
> http://www.volexity.com/blog/?p=118.  They beat us to it :(  This was 
> the exact traffic I was seeing in our central logging host but we 
> didn't get info out fast enough.
>
> If anyone has ideas about the best methods/processes to use, please 
> speak up.
>
> Cheers,
> Ryan
>
> From: Ryan Barnett <ryan.barnett at owasp.org 
> <mailto:ryan.barnett at owasp.org>>
> Date: Wednesday, April 8, 2015 at 1:20 PM
> To: <Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org 
> <mailto:Owasp_wasc_distributed_web_honeypots_project at lists.owasp.org>>
> Cc: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
> Subject: How to Release Data to the Community?
>
>     Hello everyone,
>     As I am starting to look through the central logging Console host
>     at the data we are receiving, I am struck with our next issue…
>      Which is out to release information.   I can easily do this -
>     https://twitter.com/OwaspHoneypots/status/585147356410155009 - but
>     that seems incomplete and not of much actionable intel.   I wanted
>     to start up a discussion around different options for providing
>     data back to the community around this project.  I see a number of
>     options –
>
>      1. Periodic “Status Reports” - these could be based on standard
>         time intervals such as Quarterly reports, etc…  This could
>         include intresting statistics of the captured data such as top
>         attacker sources, tools used, vulns targeted.
>      2. “Emerging Attack” Reports – these would be released on-demand
>         if we spot new, interesting attacks.
>      3. Deep-analysis Reports – that could look deeper into
>         correlating data – perhaps taking a look at distributed brute
>         force scanning efforts or botnet activity, etc…
>
>     These are just some ideas of possible reporting options.  Another
>     topic would be what technology to best use to distribute the data?
>      I see a number of options -
>
>      1. We can certainly post files to the OWASP project page.
>      2. We can also send out data here on the mail-list.
>      3. We can also send out alerts through the Twitter account
>         (https://twitter.com/OwaspHoneypots).
>      4. I would also like to look into possibly having access to the
>         OWASP blog (http://owasp.blogspot.com/) to post content.  I
>         envision something simialr to the SANS Internet Storm Center
>         Handler Diary (https://isc.sans.edu/diaryarchive.html) where
>         we can post stories.
>      5. I also created this GitHub Repo -
>         https://github.com/SpiderLabs/owasp-distributed-web-honeypots.
>          This may also be a good location for us to upload
>         sanitized (meaning we REDACT the honeypot hostname/IP data)
>         ModSecurity audit event data (which you can download from the
>         central logging host).  This could become an outstanding
>         repository of real-world web attack data intelligence that
>         community users could leverage.
>
>     These are just some ideas and I would love feedback.
>
>     Thanks,
>     Ryan
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150410/94c7e6ac/attachment.html>


More information about the Owasp_wasc_distributed_web_honeypots_project mailing list