ISC collects web logs which also includes User-Agents. If you are running a honeypot or a web server, it is fairly easy to quickly use some Regex to parse the logs and get a count of what is most commonly seen. This is some of the activity I have observed over the past week, some well know user-agent associated with valid browser versions and some custom that are telltale to hacking tools: 86 User-Agent: Mozilla/5.0 This is the regex I used to parse my honeypot logs: cat tcp-honeypot-*.log | sed 's/.*\(User-Agent.*\)Content.*/\1/g' | sed 's/.*\(User-Agent.*\)\Accept.*/\1/g' | sed 's/.*\(User-Agent.*\)\Connection.*/\1/g' | sed 's/.*\(User-Agent.*\)\Host.*/\1/g' | sed 's/\\r\\n//g' | sort | uniq -c | sort -h -r > agent.txt If you are interested in participating in this ISC project, you can follow this link which explains how to setup a honeypot to participate. [1] https://developers.whatismybrowser.com/useragents/explore/software_name/safari/ ----------- |
Guy 523 Posts ISC Handler May 27th 2018 |
Thread locked Subscribe |
May 27th 2018 4 years ago |
Hey Guy,
Your hyperlink to setup a honeypot is missing a ":" in "https://" |
Anonymous |
Quote |
May 29th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!