OWASP Web Honeypot Project

View the original Working Session content

Description of session

  • Discussions focused on Tulja’s progress with
    • GSoC (Google Summer of Code) and
    • What progress we want over the next 10-12 weeks
    • How this work can be validated by Rico at Anglia Ruskin University
  • Tulja’s GSoC work concentrated on developing a PoC using a standard MoDSec probe image under Docker generating log entries, pushed to another docker image running Logstash, but use JSON output instead of MLOGC format.
  • From the Logstash docker image, output is pushed into ELK. This must be documented:
    • As PoC docker images
    • As diagrams
  • In the Logstash development environment, preferred development is Python if possible
    • Ruby on Rails or Java may also be possible.
    • There is a MISP API for Python and worth noting mlogic can use Ruby extensions.
  • Develop “Tags” in alerts generated by probe or conversion within Logstash using OWASP Automated Threats to Web Applications (OAT) Project as an ontology.
    • Assess what additional complications this may introduce.
  • Also discussed:
    • How to move alarms into ELK to threat intelligence platform such as MISP. Should this be:
      • Conversion from ELK to MISP (there are “watcher” apps which could help with translation of the data)?
      • Parallel step where we take the output from Logstash at the same time and port into MISP?
  • We decided to be able to do both steps in parallel to
    • Generate ELK visualisation/dashboard feed as well as
    • MISP threat intelligence feed as well.
    • Determine build requirements for the MISP; we want to build the PoC in the research lab at Anglia Ruskin University (have server resources for PoC) and can host OVA / docker images if needed.

Major aims

  • Develop end-to-end PoC with multiple honeypots/probes
  • Capture attacks from an external source (could use ZAP to generate the attack traffic in this instance) into Logstash in JSON format
  • Push the log alerts to ELK and MISP separately
  • Display alerts as threat intelligence in MISP platform. Use evidence to prove this in terms of
    • Screenshots
    • Demo video
    • Test plan
    • Supporting documentation.
  • If this becomes standard PoC, we can document appropriately and determine variations and deltas to develop and test.
  • We need to raise this as an additional ticket on GitHub


  • End-to-end PoC taking multiple docker-based web honeypots deployed in AWS to push mlogic JSON alert output into a docker-based Logstash which pushes the alert output into ELK and MISP in parallel to give both visualisation/dashboard displays and threat intelligence feeds to the community.
  • Develop “Tags” within alerts generated by the probe or conversion within Logstash utilising OWASP Automated Threats to Web Applications (OAT) Project as an ontology. Also need to assess what additional complications this may introduce.
  • Reproduce tests from previous Trustwave incarnation - use ModSec to inject a variable (bags = true) and attempt to lure an attacker and pick that out using the ModSec logs; we need to reproduce this
  • Investigate OWASP funding AWS Cloud usage for Honeypot Project.

Follow up

  • Tulja to document integration of docker based probes with Logstash docker image using JSO and porting output into ELK.
    • Record docker installation instructions and integration options
  • Investigate installation and configuration requirements for MISP and ease of deployment both as dedicated server and docker image
  • Implement MISP platform to receive multiple probe feeds within AWS environment and lab PoC utilising Logstash and also parallel feed into ELK.
  • Once PoC is fully tested, produce documentation with
    • Full test plan
    • Screenshots
    • Configurations
    • Video demo
  • Rico to reproduce Tulja’s work (from GSoC) in research lab environment ready for academic paper output especially deploying as AWS instances

Session organiser(s)


Attached materials: