Fix some regressions, revert to full apache config

OWASP · Jan 15, 2020 · 8fc5774 · 8fc5774
1 parent 6988f1d
commit 8fc5774
Show file tree

Hide file tree

Showing 8 changed files with 613 additions and 39 deletions.
diff --git a/honeytraps/README.md b/honeytraps/README.md
@@ -38,7 +38,7 @@ A step by step video demonstration is shown at https://www.youtube.com/watch?v=u
  ```bash
  cd ~
  git clone --recurse-submodules https://github.com/OWASP/Honeypot-Project.git
- cd Honeypot-Project/honeytraps
+ cd ~/Honeypot-Project/honeytraps
  ```
 
 * Setup MISP server, then ELK, then Modsecurity Honeypot as specified in their own README (located in ```misp, waf_elk and waf_modsec``` respecitvely)
@@ -142,7 +142,7 @@ A step by step video demonstration is shown at https://www.youtube.com/watch?v=u
  * In the below log screenshot we can see that Attacker is tagged at ELK who changed the cookie value
  ![Alt text](./screenshots/honeytrap4_logs.png?raw=true "Visualizing the Honeytrap-5 Logs")
 
-* Please check the modsecurity conf. file for more information about the honeytraps.
+* Please check the ```waf_modsec/modsecurity-extension.conf``` file for more information about the honeytraps.
 
 ## **Known Issues**:
 
@@ -152,12 +152,6 @@ A step by step video demonstration is shown at https://www.youtube.com/watch?v=u
  sudo sysctl -w vm.max_map_count=262144
  ```
 
-* If there is problem running with logstash, try with 
-
- ```
- /opt/logstash/bin/logstash --path.data /tmp/logstash/data -e filebeat_logstash.conf
- ```
-
 ## **References**
 
 * Web Application Defender's Cookbook: Battling Hackers and Protecting Users 
@@ -170,3 +164,5 @@ A step by step video demonstration is shown at https://www.youtube.com/watch?v=u
 * https://misp-project.org
 * https://github.com/harvard-itsecurity/docker-misp
 * https://pymisp.readthedocs.io/
+
+
diff --git a/honeytraps/waf_elk/misp-push/misp-push.py b/honeytraps/waf_elk/misp-push/misp-push.py
@@ -3,6 +3,7 @@
 from datetime import datetime, timedelta, timezone
 from dateutil import tz
 from elasticsearch_async import AsyncElasticsearch
+from elasticsearch import TransportError
 #from elasticsearch import Elasticsearch, TransportError
 from urllib3.exceptions import ConnectTimeoutError
 import json
@@ -179,6 +180,8 @@ async def run(self):
  log.warning("Transaction failed, error: " + str(e))
  except ConnectionError as e:
  log.warning("Connection error: " + str(e))
+ except TransportError as e:
+ log.warning("Elastic TransportError: " + str(e))
  #except Exception as e:
  # log.error("Unknown error: " + str(e))
  await asyncio.sleep(self.WATCH_INTERVAL)

diff --git a/honeytraps/waf_modsec/Dockerfile b/honeytraps/waf_modsec/Dockerfile
@@ -4,14 +4,14 @@ RUN wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.4.2-am
 RUN dpkg -i filebeat-7.4.2-amd64.deb
 COPY filebeat.yml /etc/filebeat/filebeat.yml
 COPY modsec_entry.sh /
-COPY robots.txt /home/
-COPY index.html /usr/local/apache2/htdocs/
-COPY login.html /usr/local/apache2/htdocs/
-COPY httpd-extension.conf /app/httpd-extension.conf
+COPY --chown=daemon:daemon robots.txt /usr/local/apache2/htdocs/
+COPY --chown=daemon:daemon index.html /usr/local/apache2/htdocs/
+COPY --chown=daemon:daemon login.html /usr/local/apache2/htdocs/
 COPY modsecurity-extension.conf /app/modsecurity-extension.conf
 COPY preprocess-modsec-log.py /app/preprocess-modsec-log.py
 RUN touch /var/log/modsec_audit_processed.log
-RUN cat /app/httpd-extension.conf >> /usr/local/apache2/conf/httpd.conf
+COPY httpd.conf /usr/local/apache2/conf/httpd.conf
 RUN cat /app/modsecurity-extension.conf >> /etc/modsecurity.d/modsecurity.conf
 RUN chmod +x /modsec_entry.sh
+EXPOSE 80/tcp 8080/tcp 8000/tcp 8888/tcp
 CMD ["/modsec_entry.sh"]
diff --git a/honeytraps/waf_modsec/httpd-extension.conf b/honeytraps/waf_modsec/httpd-extension.conf