Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Web Server Log Project - SANS Internet Storm Center Web Server Log Project

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Web Application Logs

In order to participate and to submit your own logs, you need to first log in. Next click on the "My Information" link. You should now see a section of the page titles "Web Logs". It includes a link to the current version of the honeypot. The compressed file includes installation instructions. Once you got it installed, return to this form and enter your honeypot's URL and identify it as active

In order to participate you need a web server running PHP. We are testing with Apache on Linux and Windows. You do not need to dedicate an IP address to the honeypot. A name virtual host will work just fine (make it the default one if you can). Your web server needs to be reachable to the public and your web server has to be able to post logs via http or https to our web server.

Visit our ISC/DShield API and look for available webhoneypot data.

Webhoneypot Menu


See our reports summary page for more reports.

Report Volume

This table summarized the report volume received over the last 10 days.

  • Date: We use GMT as timezone for all of our date and time values.
  • Reports: Individual reports. Each request to a honeypot is counted as a report. Some honeypots will supress related reports. For example, if a page includes images, only the request to the actual page is counted and the subsequent requests to images may be ignored.
  • Submitters: Identified users submitting reports.
  • Targets: Target hosts submitting data. This number may be larger then the number of submitters as some submitters operate mulitple honeypots.
  • Sources: Distinct source IPs detected on a particular day.

Top Attacks

We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be benign. For example, a GET request for "/" could be reconnaissance or just a user or search engine stumbling across the site.

The attacks are "ranked" by the product of reports, targets and sources. The data is pulled from today.

  • CVE: Common Vulnerability Enumeration identifier (see
  • OSVDB: Open Source Vulnerability Data Base identifier (see
  • Name: A description of the request.

Top Attack Groups