Threat Level: Infocon green

Webhoneypot: Web Server Log Project

Web Application Logs | Results

Web Application Logs

In order ot participate and to submit your own logs, you need to first sign in. Next click on the "My Information" link. You should now see a section of the page titles "Web Logs". It includes a link to the current version of the honeypot. The compressed file includes installation instructions. Once you got it installed, return to this form and enter your honeypot's URL and identify it as active

In order to participate you need a web server running PHP. We are testing with Apache on Linux and Windows. You do not need to dedicate an IP address to the honeypot. A name virtual host will work just fine (make it the default one if you can). Your web server needs to be reachable to the public and your web server has to be able to post logs via http or https to our web server.

Top of page

Results

Index
Reports
Report Volume
Top Attacks
Top Attack Groups
Reports

See our reports summary page at isc.sans.edu/weblogs/reports.html for more reports.

Back to Index

Report Volume

This table summarized the report volume received over the last 10 days.

  • Date: We use GMT as timezone for all of our date and time values.
  • Reports: Individual reports. Each request to a honeypot is counted as a report. Some honeypots will supress related reports. For example, if a page includes images, only the request to the actual page is counted and the subsequent requests to images may be ignored.
  • Submitters: Identified users submitting reports.
  • Targets: Target hosts submitting data. This number may be larger then the number of submitters as some submitters operate mulitple honeypots.
  • Sources: Distinct source IPs detected on a particular day.
DateReportsSubmittersTargetsSources
2012-05-20782222154
2012-05-191294222176
2012-05-181164522145
2012-05-171116622142
2012-05-161193022141
2012-05-151163222139
2012-05-141210322144
2012-05-131207722148
2012-05-121272722154
2012-05-11958022145
Back to Index

Top Attacks

We try to classify attacks based. This system was created by STI masters candidate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be begin. For example, a GET request for "/" could be recognicance or just a user or search engine stumbling across the site.

The attacks are "ranked" by the product of reports, targets and sources. The data is pulled from today.

  • CVE: Common Vulnerability Enumeration identifier (see cve.mitre.org)
  • OSVDB: Open Source Vulnerability Data Base identifier (see www.osvdb.org)
  • Name: A description of the request.
ReportsAuthorsSourcesNameCVEOSVDB
1016robots.txt access
Back to Index

Top Attack Groups

ReportsAuthorsSourcesGroup
Back to Index
Top of page
site/port/ip search:

Get ISC Swag!!

Webhoneypot Menu


Main Page

RFI Attacks

Filter Reports

Reports List


Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

PHP 5.4 Remote Exploit PoC in the wild - by: Manuel Humberto Santander Pelaez (2012-05-19)

ZTE Score M Android Phone backdoor - by: Johannes Ullrich (2012-05-18)

Do Firewalls make sense? - by: Johannes Ullrich (2012-05-17)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute