I’m new to to stackechange, I just want to get some advice. Basically for my final year project (have about a month left). I wanted to do a comparative analysis of 2 WAF’s ModSec/Shadow Daemon and web-based honeypot SNARE/TANNER.
I wanted to find out if there are any benefits of placing WAF inline of web-based honeypot? Can WAF add value in terms of deception capabilities or aid in development of future mitigation techniques. For instance, determine what attacks bypass WAF, if so what attacks be caught by the honeypot? I know this boils down to the limitations of the honeypot as it a low-interaction and applies vulnerability type emulation.
1) Would an inline WAF make the honeypot appear more attractive by making it more difficult to attack? 2) Can consolidating WAF and honeypot attack vector logs though SIEM aid in adding context in data generated?
The first approach requires a live deployment which I currently don’t have time for to test this. Second approach would be ideal because I could use WAF testing frameworks such WA3F, Web Goat, Imperva ect which would can be tested in a virtual environment.
This research topic has not been done before, I don’t know why. I just want to confirm whether it’s a waste of time or I’m going about it the wrong way.