Clicking on the Saturday bar will give all attack details for that day, like below (sanitized to protect our honeypot).

An attacker tried to access /manager/html which is the web interface for Tomcat Manager, but because it is using the IP address (OUR_IP) instead of a known hostname ModSecurity blocks the request using the Core Rules.

 

--4f701d10-A--
[25/Jul/2009:18:53:04 +0200] jfQwmQoKRwsAAAXJFT0AAAAC 89.96.247.33 3308 OUR_IP 80
--4f701d10-B--
GET /manager/html HTTP/1.1
Referer: http://OUR_IP:80/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
Host: 212.3.253.120:80
Connection: Close
Cache-Control: no-cache
Authorization: Basic bWFuYWdlcjpCb3Ro
--4f701d10-F--
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=UTF-8
Content-Length: 39
Connection: close
--4f701d10-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. 
[file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] 
[line "41"] [id "960015"] [msg "Request Missing an Accept Header"] 
[severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Apache-Handler: proxy-server
Stopwatch: 1248540784603289 2044 (66 1065 1593)
Producer: ModSecurity for Apache/2.5.0- (http://www.modsecurity.org/); core ruleset/1.6.0.
Server: Apache/2.2.8 (EL) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5
--4f701d10-K--

A specific HTTP header is very interesting: Authorization contains the Basic Authorization credentials, Base-64 encoded. Decoding the value bWFuYWdlcjpCb3Ro results in two values: manager:Both where manager is the username for Tomcat manager and Both is an attempt to guess the password.

Other HTTP requests contain other values: