ISC Feature of the Week: Webhoneypot: Web Server Log Project
Last Updated: 2012-12-14 22:45:56 UTC
by Adam Swanger (Version: 1)
We recenlty updated the webhoneypot pages at https://isc.sans.edu/webhoneypot/index.html and added some API functions at https://isc.sans.edu/api/. The Webhoneypot project is a collection of logs submitted by users from various honeypots.
The right column navigation is always present and has links to:
- Webhoneypot home page
- RFI Attacks - List of URLs matching RFI regular expressions
- Filter Reports - search our reports for matches to particular header properties
- Reports List - Explained in detail below
Web Application Logs - https://isc.sans.edu/webhoneypot/index.html#logs
- Explains how to sign up and participate as well as requirements to submit logs.
- Link to ISC/DShield API where we have added functions for the webhoneypot
Results - https://isc.sans.edu/webhoneypot/index.html#results
Reports - https://isc.sans.edu/webhoneypot/index.html#reports
- Links to available reporting at https://isc.sans.edu/webhoneypot/reports.html
- Overall Report Volume - Total reports, submitters and average per submitter sorted by date
- Attacks By Type - Regular expressions determine the types of attacks. Page lists two tables. One lists the top 30 attacks for the last month, the other table the top attacks for the last 24 hrs.
- Top Unclassified - List of URLs no recognized by regular expressions.
- Unique URLs - Distinct URLs per day with date selection form.
- Headers - Unique headers per day with link to details page. Also has date selection form.
Report Volume - https://isc.sans.edu/webhoneypot/index.html#volume
- summarized the report volume received over the last 10 days.
Top Attacks - https://isc.sans.edu/webhoneypot/index.html#attacks
- We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be benign.
Top Attack Groups - https://isc.sans.edu/webhoneypot/index.html#groups
- Grouped top attacks found by regular expressions for the current day
Please consider running a honeypot yourself expect to see more about this project and additional APIs in the future!
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu