Leveraging Web Application Firewalls (WAFs) for Integrating Honeypots with Corporate Networks

Abstract

The problem in existing security controls is that zero-day exploits cannot be prevented or even detected, and even a well-crafted HTTP packet can bypass these controls taken place. Honeypots are usually deployed to detect zero-day exploits, and they are integrated in several ways. The project aims to integrate a honeypot with corporate networks by leveraging Web Application Firewalls (WAFs) for detecting malicious HTTP requests. The open-source ModSecurity WAF is used with Core Rule Set (CRS) rules. Firstly, the report defines the experimental work on ModSecurity with WAF, it investigated CRS blocking evaluation rules. The experiment showed a clear relationship between the CRS anomaly threshold and the attack detection percentage. Secondly, it introduces the redirection evaluation rules defined by this project and implements a proof of concept PoC of redirecting attackers’ traffic transparently, without them being aware, to a honeypot. The proof of concept successfully implemented the designed requirements.