Web Application Logs
In order to participate and to submit your own logs, you need to first sign in. Next click on the "My Information" link. You should now see a section of the page titles "Web Logs". It includes a link to the current version of the honeypot. The compressed file includes installation instructions. Once you got it installed, return to this form and enter your honeypot's URL and identify it as active
In order to participate you need a web server running PHP. We are testing with Apache on Linux and Windows. You do not need to dedicate an IP address to the honeypot. A name virtual host will work just fine (make it the default one if you can). Your web server needs to be reachable to the public and your web server has to be able to post logs via http or https to our web server.
Visit our ISC/DShield API and look for available webhoneypot data.
See our reports summary page at isc.sans.edu/weblogs/reports.html for more reports.Back to Index
This table summarized the report volume received over the last 10 days.
- Date: We use GMT as timezone for all of our date and time values.
- Reports: Individual reports. Each request to a honeypot is counted as a report. Some honeypots will supress related reports. For example, if a page includes images, only the request to the actual page is counted and the subsequent requests to images may be ignored.
- Submitters: Identified users submitting reports.
- Targets: Target hosts submitting data. This number may be larger then the number of submitters as some submitters operate mulitple honeypots.
- Sources: Distinct source IPs detected on a particular day.
Back to Index
Date Reports Submitters Targets Sources 2013-12-11 14856 7 1 275 2013-12-10 10610 6 1 277 2013-12-09 8609 6 1 274 2013-12-08 8317 6 1 243 2013-12-07 9499 6 1 272 2013-12-06 11197 6 1 276 2013-12-05 12711 6 1 292 2013-12-04 12354 7 1 325 2013-12-03 12369 7 1 337
We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be benign. For example, a GET request for "/" could be reconnaissance or just a user or search engine stumbling across the site.
The attacks are "ranked" by the product of reports, targets and sources. The data is pulled from today.
- CVE: Common Vulnerability Enumeration identifier (see cve.mitre.org)
- OSVDB: Open Source Vulnerability Data Base identifier (see www.osvdb.org)
- Name: A description of the request.
Back to Index
Reports Authors Sources Name CVE OSVDB
Top Attack Groups
Back to Index
Reports Authors Sources Group