Overview

We recenlty updated the webhoneypot pages at https://isc.sans.edu/webhoneypot/index.html and added some API functions at https://isc.sans.edu/api/. The Webhoneypot project is a collection of logs submitted by users from various honeypots.

Features

The right column navigation is always present and has links to:

• Webhoneypot home page
• RFI Attacks - List of URLs matching RFI regular expressions
• Filter Reports - search our reports for matches to particular header properties
• Reports List - Explained in detail below

Web Application Logs - https://isc.sans.edu/webhoneypot/index.html#logs

• Explains how to sign up and participate as well as requirements to submit logs.
• Link to ISC/DShield API where we have added functions for the webhoneypot

Results - https://isc.sans.edu/webhoneypot/index.html#results

• Reports - https://isc.sans.edu/webhoneypot/index.html#reports
  • Links to available reporting at https://isc.sans.edu/webhoneypot/reports.html
  • Overall Report Volume - Total reports, submitters and average per submitter sorted by date
  • Attacks By Type - Regular expressions determine the types of attacks. Page lists two tables. One lists the top 30 attacks for the last month, the other table the top attacks for the last 24 hrs.
  • Top Unclassified - List of URLs no recognized by regular expressions.
  • Unique URLs - Distinct URLs per day with date selection form.
  • Headers - Unique headers per day with link to details page. Also has date selection form.
• Report Volume - https://isc.sans.edu/webhoneypot/index.html#volume
  • summarized the report volume received over the last 10 days.
• Top Attacks - https://isc.sans.edu/webhoneypot/index.html#attacks
  • We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be benign.
• Top Attack Groups - https://isc.sans.edu/webhoneypot/index.html#groups
  • Grouped top attacks found by regular expressions for the current day

Please consider running a honeypot yourself expect to see more about this project and additional APIs in the future!

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu