We recenlty updated the webhoneypot pages at https://isc.sans.edu/webhoneypot/index.html and added some API functions at https://isc.sans.edu/api/. The Webhoneypot project is a collection of logs submitted by users from various honeypots.
The right column navigation is always present and has links to:
Webhoneypot home page
RFI Attacks - List of URLs matching RFI regular expressions
Filter Reports - search our reports for matches to particular header properties
Reports List - Explained in detail below
Web Application Logs - https://isc.sans.edu/webhoneypot/index.html#logs
Explains how to sign up and participate as well as requirements to submit logs.
Link to ISC/DShield API where we have added functions for the webhoneypot
Results - https://isc.sans.edu/webhoneypot/index.html#results
Reports - https://isc.sans.edu/webhoneypot/index.html#reports
Links to available reporting at https://isc.sans.edu/webhoneypot/reports.html
Overall Report Volume - Total reports, submitters and average per submitter sorted by date
Attacks By Type - Regular expressions determine the types of attacks. Page lists two tables. One lists the top 30 attacks for the last month, the other table the top attacks for the last 24 hrs.
Top Unclassified - List of URLs no recognized by regular expressions.
Unique URLs - Distinct URLs per day with date selection form.
Headers - Unique headers per day with link to details page. Also has date selection form.
Report Volume - https://isc.sans.edu/webhoneypot/index.html#volume
summarized the report volume received over the last 10 days.
Top Attacks - https://isc.sans.edu/webhoneypot/index.html#attacks
We try to classify attacks based on regular expression matches. This system was created by SANS Technology Institute (STI) Master of Science graduate Eric Conrad as part of his software security requirement. Not all hits to a honeypot can easily be identified as attacks, and some may actually just be benign.
Top Attack Groups - https://isc.sans.edu/webhoneypot/index.html#groups
Grouped top attacks found by regular expressions for the current day
Please consider running a honeypot yourself expect to see more about this project and additional APIs in the future!
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.