Threat Level: Infocon green

Webhoneypot: Web Server Log Project

Web Application Logs | Results

Web Application Logs

In order to participate and to submit your own logs, you need to first sign in. Next click on the "My Information" link. You should now see a section of the page titles "Web Logs". It includes a link to the current version of the honeypot. The compressed file includes installation instructions. Once you got it installed, return to this form and enter your honeypot's URL and identify it as active

In order to participate you need a web server running PHP. We are testing with Apache on Linux and Windows. You do not need to dedicate an IP address to the honeypot. A name virtual host will work just fine (make it the default one if you can). Your web server needs to be reachable to the public and your web server has to be able to post logs via http or https to our web server.

Visit our ISC/DShield API and look for available webhoneypot data.

Top of page

Results

Index
Reports
Report Volume
Top Attacks
Top Attack Groups
Reports

See our reports summary page at isc.sans.edu/weblogs/reports.html for more reports.

Back to Index

Report Volume

This table summarized the report volume received over the last 10 days.

  • Date: We use GMT as timezone for all of our date and time values.
  • Reports: Individual reports. Each request to a honeypot is counted as a report. Some honeypots will supress related reports. For example, if a page includes images, only the request to the actual page is counted and the subsequent requests to images may be ignored.
  • Submitters: Identified users submitting reports.
  • Targets: Target hosts submitting data. This number may be larger then the number of submitters as some submitters operate mulitple honeypots.
  • Sources: Distinct source IPs detected on a particular day.
DateReportsSubmittersTargetsSources
2013-06-191111
2013-06-180000
2013-06-171111
2013-06-161111
2013-06-150000
2013-06-140000
2013-06-130000
2013-06-120000
2013-06-110000
Back to Index

Top Attacks

We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all "hits" to a honeypot can easily be identified as "attacks", and some may actually just be benign. For example, a GET request for "/" could be reconnaissance or just a user or search engine stumbling across the site.

The attacks are "ranked" by the product of reports, targets and sources. The data is pulled from today.

  • CVE: Common Vulnerability Enumeration identifier (see cve.mitre.org)
  • OSVDB: Open Source Vulnerability Data Base identifier (see www.osvdb.org)
  • Name: A description of the request.
ReportsAuthorsSourcesNameCVEOSVDB
Back to Index

Top Attack Groups

ReportsAuthorsSourcesGroup
Back to Index
Top of page
site/port/ip search:

Get ISC Swag!!

Webhoneypot Menu


Main Page

RFI Attacks

Filter Reports

Reports List


Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On - by: Guy Bruneau (2013-06-20)

WinLink Check-In - by: Kevin Liston (2013-06-19)

EMET 4.0 is now available for download - by: Russ McRee (2013-06-18)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute