Web Application Logs

In order ot participate and to submit your own logs, you need to first sign in. Next click on the "My Information" link. You should now see a section of the page titles "Web Logs". It includes a link to the current version of the honeypot. The compressed file includes installation instructions. Once you got it installed, return to this form and enter your honeypot's URL and identify it as active

In order to participate you need a web server running PHP. We are testing with Apache on Linux and Windows. You do not need to dedicate an IP address to the honeypot. A name virtual host will work just fine (make it the default one if you can). Your web server needs to be reachable to the public and your web server has to be able to post logs via http or https to our web server.

Results

Reports

See our reports summary page at isc.sans.org/weblogs/reports.html for more reports.

Report Volume

This table summarized the report volume received over the last 10 days.

• Date: We use GMT as timezone for all of our date and time values.
• Reports: Individual reports. Each request to a honeypot is counted as a report. Some honeypots will supress related reports. For example, if a page includes images, only the request to the actual page is counted and the subsequent requests to images may be ignored.
• Submitters:Identified users submitting reports.
• Targets:Target hosts submitting data. This number may be larger then the number of submitters as some submitters operate mulitple honeypots.
• Sources:Distinct source IPs detected on a particular day.

Date	Reports	Submitters	Targets	Sources
2009-11-22	1712	18	22	89
2009-11-21	10133	19	25	332
2009-11-20	24320	19	25	335
2009-11-19	14850	19	24	355
2009-11-18	16849	20	27	289
2009-11-17	19970	21	29	325
2009-11-16	11041	22	30	296
2009-11-15	8751	22	31	293
2009-11-14	8021	22	30	278
2009-11-13	13439	22	30	266

Top Attacks

We try to classify attacks based. This system was created by STI masters candidate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be begin. For example, a GET request for "/" could be recognicance or just a user or search engine stumbling across the site.

The attacks are "ranked" by the product of reports, targets and sources. The data is pulled from today.

• CVE: Common Vulnerability Enumeration identifier (see cve.mitre.org)
• OSVDB: Open Source Vulnerability Data Base identifier (see www.osvdb.org)
• Name: A description of the request.

Reports	Authors	Sources	Name	CVE	OSVDB
28	11	26	robots.txt access
6	5	3	Generic GET proxy attempt
10	1	5	AppServ RFI	2006-0125	22228
16	1	3	PHP Form Mail formmail.inc.php RFI	2005-0678	14572
8	1	3	Generic index.php RFI
6	1	4	Generic mosConfig_absolute_path RFI
15	1	1	Generic ftp: RFI attempt
5	1	2	doceboCMS RFI exploit
5	1	2	Generic Directory Traversal Attempt
5	1	1	Weblogicnet es_desp.php files_dir RFI	2007-4715	38423

Top Attack Groups

Reports	Authors	Sources	Group
74	11	23	Remote File Inclusion Attempt
7	6	4	Proxy Attempt
5	1	2	Directory Traversal Attempt

---