One of the problems for adoption is the lack of simple inclusion into well-known CMSs.
The idea is to provide a simple add-on/plugin/modules to include the functionality of semi-automatic configuration for the major CMSs: Wordpress, Joomla, Drupal.

The modules will:

• provide a simple way for configuring the Honeypot data, e.g. Server, redirection, possible variables that will act as the honeypot
• a way of inserting that variables at randon on the web interface
• redirection to the Honeypot when this variable is modified

Consider new alternatives for log transfer including the use of:

• MLOGC-NG
• FileBeat (Logstash)
• You name it..

Hello,

I've Implemented honeypot project locally .
As soon as I trigger mod-sec rule. (by hitting curl request)
Python file start processing those rule but,
got this error.

ERROR	pipeline/output.go:100	Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
modsec_app    | 2021-01-06T07:49:46.218Z	INFO	pipeline/output.go:93	Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 3 reconnect attempt(s)

Any thoughts on this ?

my env file

LOGSTASH_HOST=127.0.0.1:5044

my filebeat.yml

output:
  logstash:
    enabled: true
    hosts: '${LOGSTASH_HOST:?must set LOGSTASH_HOST env variable}'
    timeout: 15
   

filebeat:
  inputs:
    -
      paths:
        - /var/log/modsec_audit_processed.log
      type: log
      json.keys_under_root: true
      json.add_error_key: true

my logstash.conf file

input {
  beats {
    port => 5044
    type => "mod_security"
    codec => json
    ssl => false
  }
}


output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
  stdout { codec => rubydebug }
}

Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in:

• ModSecurity Audit Console
• WAF-FLE,
• ELK?

Fluent and bespoke scripts for single and multiple probes.

Small footprint honeypot/probe formats utilising Docker & Raspberry Pi

We need to create a new deployment using CRS v3.0-v3.1
Ideally the setup using packer will provide us a simple and repetitive way of generating for many different platforms.

This is related to #2.

• Develop a mechanism to convert from stored MySQL to JSON format.
• Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.
• Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.

We need to provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.

When building the docker image (i.e docker-compose build) for ELK/Logstash

Most of the build completes but near the end

/bin/sh: 1: wget: not found
ERROR: Service 'modsec_crs' failed to build: The command '/bin/sh -c wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm' returned a non-zero code: 127

Any thoughts?

I need code location for sharing information from elasticsearch to MISP.

We need a Proof of Concept to understand how ModSecurity baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes)

• Install modsecurity stack
• Send logs/probes to console
• Write documentation for the process

there is no "docker-compose.yml" file for the honeytrap folder.

initiatives

The project has been idle for a while. The issue will be created as a root ticket to gather new items (including some of the old tickets) which are going to be implemented.

Items

• [FEAT] Develop alternative small-footprint honeypot/probe formats.
• [FEAT] pluggable modules #9
• [OPT] Consider new alternatives for log transfer approaches. #6
• [OPT] The project structure may be a little confusing for individuals to run it. Consider refactoring the structure of the docker-compose file, the folder structure, and the README file.
• [FIX] images cannot work correctly in some OS (e.g., MacOS) because it does not specify the version.