ISC Feature of the Week: Webhoneypot: Web Server Log Project, (Fri, Dec 14th)

Overview



We recenlty updated the webhoneypot pages at https://isc.sans.edu/webhoneypot/index.html and added some API functions at https://isc.sans.edu/api/. The Webhoneypot project is a collection of logs submitted by users from various honeypots.



Features



The right column navigation is always present and has links to:





Webhoneypot home page



RFI Attacks - List of URLs matching RFI regular expressions



Filter Reports - search our reports for matches to particular header properties



Reports List - Explained in detail below





Web Application Logs - https://isc.sans.edu/webhoneypot/index.html#logs





Explains how to sign up and participate as well as requirements to submit logs.



Link to ISC/DShield API where we have added functions for the webhoneypot





Results - https://isc.sans.edu/webhoneypot/index.html#results





Reports - https://isc.sans.edu/webhoneypot/index.html#reports





Links to available reporting at https://isc.sans.edu/webhoneypot/reports.html



Overall Report Volume - Total reports, submitters and average per submitter sorted by date



Attacks By Type - Regular expressions determine the types of attacks. Page lists two tables. One lists the top 30 attacks for the last month, the other table the top attacks for the last 24 hrs.



Top Unclassified - List of URLs no recognized by regular expressions.



Unique URLs - Distinct URLs per day with date selection form.



Headers - Unique headers per day with link to details page. Also has date selection form.







Report Volume - https://isc.sans.edu/webhoneypot/index.html#volume





summarized the report volume received over the last 10 days.







Top Attacks - https://isc.sans.edu/webhoneypot/index.html#attacks





We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all hits to a honeypot can easily be identified as attacks, and some may actually just be benign.







Top Attack Groups - https://isc.sans.edu/webhoneypot/index.html#groups





Grouped top attacks found by regular expressions for the current day














Please consider running a honeypot yourself expect to see more about this project and additional APIs in the future!







Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form




--




Adam Swanger, Web Developer (GWEB, GWAPT)




Internet Storm Center https://isc.sans.edu



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: http://isc.sans.edu/diary.html?storyid=14710&rss