AppSec Blog

Results from Webhoneypot Project

The SANS ISC Webhoneypot project was started over a year ago and the client had been in public beta since June. We have been collecting data from honeypots since January. The goal of the project is to collect quantitative data about the prevalence of large scale automated attacks.

We are now ready to share some collected data with the community. Our intention is to share the data and findings with the community in the same manner as the original DShield project.

These report pages and especially the search interface is in beta currently. We intend to refine these as the project matures. We appreciate any feedback on these reports and search capabilities.

Feel free to analyze the data as you wish, if you spot anything interesting, please write to us. Thanks and happy log reading.


Posted October 1, 2009 at 8:06 PM | Permalink | Reply

Ryan Barnett

Great stuff! We are tracking some similar types of web attacks with the WASC Distributed Open Proxy Honeypot Project ''"
I was looking at your report data here ''"
The vast majority of these are remote file inclusion (RFI) attacks. Take a look at my blog post on generically identifying RFI attacks with ModSecurity ''"
You could use the regexes in your log processing to help classify the requests.
Keep up the good work.

Post a Comment


* Indicates a required field.