HTTP scanning may be a benign activity — for example, it may be a search engine indexing the web, a research project, or an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.
Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack. The scan itself may also perform an attack, such as an SQL injection, a Remote File Inclusion or Local File Inclusion attack, or the specific exploit of a vulnerability. Quite often, scanning activity may come from a botnet that is actively looking to infect new sites or devices.
Below is a description of a report based on data collected by SISSDEN HTTP-aware honeypots. In addition to registering the source of the scan, it logs the request of the scan in raw form and attempts to match a pattern to it. In cases where a malicious artifact was collected by the honeypot, its MD5 and SHA256 hash are also recorded. This information may be used to support an investigation by a CSIRT into an incident and determine its true nature.
This report type was created as part of the EU Horizon 2020 SISSDEN Project.