3

For my final year project, I wanted to do a comparative analysis of 2 WAF's ModSec/Shadow Daemon and web-based honeypot SNARE/TANNER.

I wanted to find out if there are any benefits of placing WAF in line with a web-based honeypot. Does it defeat the purpose of a honeypot by placing WAF inline? Can WAF add value in terms of deception capabilities or aid in the development of future mitigation techniques? For instance, determine what attacks bypass WAF. If so, what attacks will be caught by the honeypot? I know this boils down to the honeypot's limitations as it's low-interaction and applies vulnerability type emulation rather than actual vulnerabilities.

  1. Would an inline WAF make the honeypot appear more attractive by making it more difficult to attack?

  2. Can consolidating WAF and honeypot attack vector logs through SIEM help add context to the data generated?

The first approach requires a live deployment, which I currently don't have time to test. The second approach would be ideal because I could use WAF testing frameworks such as WA3F, Web Goat, Imperva, etc., which can be tested in a virtual environment.

I don't know why this research topic hasn't been researched before. I just want to confirm whether it's a waste of time or whether I’m doing it wrong.

Improve this question
4
  • 1
    It looks like you have an X/Y problem. First, why do you want to test the combination without knowing the answers to all these questions first? Second, everything you state that you want a WAF to do can be done on the honeypot. Third, what outcomes are you looking for? You don't start an experiment and then figure out what you are trying to study along the way. Do you want to study WAF evasion techniques? What is it exactly that you want to study here? Fourth, being a "challenge" does not make a target attractive to hackers: they are looking for the value in the hack. Commented Apr 2, 2019 at 6:36
  • Thanks for your valueable insight. I think this is the issue what I'm trying to wrap my head around. Intially I wanted to do a comparative analysis of web-based honeypots but because SNARE/TANNER is the only one out there along with Glastopf (it's predesessor/no longer supported) through that out of the window. Yes I want examine current WAF evasion techniques against default WAF deployment settings. Can a honeypot be a useful mechinisim in adding value to WAF bypassing techniques attack data? If the honeypot captures bypassing techniques exploits, can't this be used to generate new rules? Commented Apr 2, 2019 at 8:11
  • 1
    This approach is much clearer. Using a web honeypot as a basis to analyse what escapes a WAF is useful. Just remember that a WAF is not a drop-in, fire-and-forget tool. WAF needs to be configured to counter specific threats. A useful research vector is watching what gets through the WAF even when it is configured to block specific things. this approach allows you to be free with the "honeypot" you use and even allows you to craft your own web target that's not a honeypot but just something with a lof ot logging. Commented Apr 2, 2019 at 8:58
  • Thanks for the clarification, I greatly appreciate it. As this has not been done before, this has definitely helped in being more specific. WAF and Honeypot research in general seems to be lacking, very little output in recent years, which made it difficult to identify a topic. Although I knew what I wanted to do, it was just a case of narrowing it down. Once again, thanks for your guidance. Commented Apr 2, 2019 at 9:37

2 Answers 2

Reset to default
1

Would an inline WAF make the honeypot appear more attractive by making it more difficult to attack?

Many websites are built out having load balancers/WAF in front of the actual web servers. It’s quite common. They’re also used for SSL/TLS termination to boost performance. That said, it does add complexity in that a vulnerability in your WAF implementation could result in the attacker having an alarming level of access. A great example of this is HeartBleed.

Can consolidating WAF and honeypot attack vector logs though SIEM aid in adding context to the data generated?

Sure, however rules need to be created for the SIEM to digest/correlate the two additional data points.

WAF Benefits

There are two major advantages with placing a WAF in front of your web application honey pot.

  1. SSL/TLS termination. This is pretty much required so the request/response can be inspected.
  2. Prevent the hacking others. The honeypot deployment shouldn’t send malevolent traffic out to the Internet. Nor should it be a place for an attacker to send unsuspecting users. An example being a persistent XSS. Both of these should be prevented so you're not aiding the attacker.

Legal

I'm not a lawyer nor is this the place to seek legal advice.

With that out of the way, there are legal concerns with running a honeypot as brought up in a prior post:

What is the current U.S. law regarding the building of and deployment of honeypots?

Improve this answer
0
1

Does it defeat the purpose of a honeypot by placing WAF inline?

Not necessarily. While honeypots are designed to be vulnerable and attract attackers, placing a WAF in front of them doesn't defeat this purpose if the WAF is in transparent mode (just logging and not blocking). It can offer valuable insights into which attacks the WAF detects and which bypasses it, enhancing your understanding of attack patterns. You can check this old paper for adaptive/dynamic and intelligent/context-aware honeypots from the German Research Center for Artificial Intelligence (DFKI).

Can WAF add value in terms of deception capabilities or aid in the development of future mitigation techniques? For instance, determine what attacks bypass WAF, if so, what attacks be caught by the honeypot?...

Yes, a WAF can add value by providing an additional layer of deception. It can help identify which attacks bypass it, and those attacks can be analyzed through the honeypot. The honeypot can then capture attack variants that the WAF misses, helping improve future mitigation strategies. Check out this recent 2024 paper

  1. Would an inline WAF make the honeypot appear more attractive by making it more difficult to attack?

Possibly. A WAF in front of a honeypot could make it appear more like a real, protected system, which may attract more sophisticated attackers. It could simulate a real-world target, leading to more interesting interactions.

  1. Can consolidating WAF and honeypot attack vector logs through SIEM aid in adding context to the data generated?

Yes, combining WAF and honeypot logs in a SIEM system can provide deeper context. By correlating attack attempts detected by the WAF with the behavior observed in the honeypot, you can better understand attack tactics and improve incident response. I found this paper: Honeyboost: Boosting honeypot performance with data fusion and anomaly detection investigate and proposed Honeyboost, a novel, hybrid framework consisting of two complementary approaches – horizontal and vertical – to enhance honeypot aided Network Anomaly Detection Systems (NADS).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.