HIGH: Honeypot HTTP Scanner Events Report

DESCRIPTION LAST UPDATED: 2024-08-16

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have been observed performing HTTP-based scanning activity, including exploitation attempts.

HTTP scanning may be a benign activity — for example, it may be a search engine indexing the web, a research project, or an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.

Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack or exploit attempts coming from a botnet that is actively looking to infect new sites or devices. Popular targets include various IoT (routers, nas, webcam devices) or VPN devices, CMS systems, Application Servers, Application Delivery Controllers or mail servers (such as Microsoft Exchange).

The HTTP report type, originally introduced as part of the EU Horizon 2020 SISSDEN Project has been extended under the INEA CEF VARIoT project.

It now features detailed information on attacks observed against HTTP honeypots, including CVECVSS score, MITRE ATT&CK tactic and technique mappings, affected vendor and product information and other exploit information that can be associated with the collected HTTP requests.

You can learn more on the report in our Honeypot HTTP Scanner Events Report tutorial.

You can view information about many of the attacks seen on our Dashboard, for example the Known Exploited Vulnerabilities.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename: event4_honeypot_http_scan

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • pattern
    Request pattern if recognized by target sensor (e.g., does it match an RFI, LFI, SQLi … )
  • http_url
    URL being requested by the scanning IP
  • http_agent
    HTTP user agent
  • http_request_method
    HTTP request method (GET, POST, HEAD ...)
  • url_scheme
    Whether HTTP or HTTPS request
  • session_tags
    Array of additional tags describing attack characteristics, example: pre-auth;remote-code-execution
  • vulnerability_enum
    Vulnerability or exploit schema being used, for example CVE or EDB
  • vulnerability_id
    Id of vulnerability or exploit, for example CVE-2020-5902
  • vulnerability_class
    If set, then CVSS
  • vulnerability_score
    CVSS base score
  • vulnerability_severity
    CVSS severity, for example, CRITICAL or HIGH
  • vulnerability_version
    CVSS version of framework used, for example 3.1 or 3.0
  • threat_framework
    Set to MITRE ATT&CK
  • threat_tactic_id
    Array of tactic ids, example TA0001;TA0002
  • threat_technique_id
    Array of technique ids, example T1190;T1059
  • target_vendor
    Vendor that is being targeted, example Linksys
  • target_product
    Product that is being targeted, example Linksys E-Series
  • target_class
    Class of device/software being targeted, for example router
  • file_md5
    MD5 hash of file downloaded, if any
  • file_sha256
    SHA256 hash of file downloaded, if any
  • request_raw
    Raw request sent by the scanning IP (may be base64 encoded depending on reporting honeypot type)
  • body_raw
    Raw body request (may be base64 encoded depending on reporting honeypot type)

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","pattern","http_url","http_agent","http_request_method","url_scheme","session_tags","vulnerability_enum","vulnerability_id","vulnerability_class","vulnerability_score","vulnerability_severity","vulnerability_version","threat_framework","threat_tactic_id","threat_technique_id","target_vendor","target_product","target_class","file_md5","file_sha256","request_raw","body_raw"
"2010-02-10 00:00:00",tcp,192.168.0.1,52562,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,,high,172.16.0.1,8888,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,http-scan,,,http,,,,/api/v1/update,"Mozilla/5.0 zgrab/0.x",GET,https,,,,,,,,,,,,,,,,dGVzdGluZyAxIDIgMw==,
"2010-02-10 00:00:01",tcp,192.168.0.2,55750,64512,ZZ,Region,City,node02.example.com,0,,Hikvision,video-system,,high,172.16.0.2,26257,65534,ZZ,Region,City,node02.example.net,0,,,http-scan,,,http,,,,/api/v1/update,"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)",GET,https,,,,,,,,,,,,,,,,dGVzdGluZyAxIDIgMw==,
"2010-02-10 00:00:02",tcp,192.168.0.3,56954,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",,,,high,172.16.0.3,9001,65534,ZZ,Region,City,node03.example.net,0,,,http-scan,,,http,,,,/api/v1/update,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36",GET,http,,,,,,,,,,,,,,,,dGVzdGluZyAxIDIgMw==,

Our 131 Report Types