Introduction

I’m a Google Summer of Code-2019 student for the OWASP organization working on the OWASP Honeypot project. My project was to build an automated web-based Honeypots using the ModSecurity, a Web Application Firewall (WAF) and reporting the information to Malware Information Sharing Platform (MISP).

First and foremost, I would like to thank my mentors Adrian Winckles & Felipe Zipitría and the whole OWASP community, in general, for letting me work on this fantastic project.

Motivation Behind the Project

The purpose of this project is to capture intelligence on attacker activity against web applications and utilize this intelligence as ways to protect software against attacks. We gather the attack information by laying the honeypots using the web application firewalls. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the methods used by attackers.

High-Level Architecture

The overall design consists of mainly three modules, which are Honeypot software, Collection software, and Community software.

Alt text

  • Honeypot software: This modules lays the honeytrap and lures the Attacker to gather information about the Attacker. ModSecurity is used for laying the honeytraps.

    • We lay honeytraps using the Core Rule Set (CRS) rules of ModSecurity. We collect the attack information using the Audit logs of ModSecurity. Once the logs are generated, they are sent to Collection software (ELK Stack) for further processing. Shipping the logs is done with the help of Filebeat. The ModSecurity Audit Collector (mlogc) is another way of exporting the logs to ELK Stack. In this project, we have both forms of shipping. Any method can be chosen appropriately.
    • There are three phases of recognizing the attack.
      • Luring the Attacker with a bait
      • Identifying the Attacker from his/her actions
      • Gathering the information about the Attacker (From the logs)
Bait Identification of Attacker
Adding Fake Listen Ports If the web client is trying to access these fake ports, it will tagged as malicious
Adding Fake entry in robots.txt If it accesses the restricted location, it will tagged as malicious
Adding Fake HTML comments If it accesses the Debugging information from HTML comments, it can be marked malicious
Adding Fake Hidden Form Fields If it manipulates the hidden form field(s) set by the web server, it is tagged malicious
Adding Fake Cookie Data If it manipulates the cookies set by the web server, it is tagged malicious


  • Collection software: This module processes the logs that are incoming to the system. It filters out the attack information and sends them to community software. Elastic Search Logstash Kibana (ELK) stack is used as log collection software. ELK Stack processes the logs and visualizes the attack information. The screenshot shows the attack information visualization.
    • The Collection software also runs the periodic MISP client which periodically collects the honeytrap information and automatically reports it to the Community software.
    • The honeytrap information is sent along with relevant tags by the MISP client.

Alt text

  • Community software: It maintains the attack information from various sources and reports to the community. The Malware Information Sharing Platform (MISP) is used as the community software. Various details about the attack such as Threat level, Analysis done, Timestamp, Tags, etc. are reported at MISP. Below screenshot shows the details of MISP event.

Alt text

All the above three modules are realized as Docker containers. Currently, all of them are running on a single host. With the proper configuration, they can be run on multiple nodes as well. The demonstration of the project using the Docker platform is shown in the below video.

Future RoadMap

  • Use Packer for generating the VM images for the above three modules.
  • Machine Learning based approach to automatically update the rule set upon cyber threat intelligence received.
  • Add more honeytraps using ModSecurity rules.