Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Using Our Data Feeds


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Using DShield's Data Feeds

Be proactive. You can incorporate DShield summaries in your own web pages so your page can also display the "Current Most Active Port Scanning IP" or the Current Most Scanned Port". Also see the Link Back page for DShield banner graphics.

This work is licensed under a Creative Commons License Creative Commons Attribution-Noncommercial 3.0 United States License.

Use of data premitted with attribution: SANS Technology Institute, Internet Storm Center, https://isc.sans.edu (you may feel free to change the format of the attribution according to your guidelines).

How to do it

There are several methods you can choose from. The general idea is that you use some code that can read from one of the summary data files that we supply at http://feeds.dshield.org, parse the records into data fields and then display the data fields you choose surrounded by whatever explanatory text you want. See the sample code section, below.

Additional summary information can be pulled and parsed from:

"Live" Graphics

This graphic is updated once an hour with the latest top port scanner information. Use this code to display the above graphic. (But if you are a high traffic site, please download the graphic from a cron job once an hour.)

We are currently troubleshooting the graphic. Please check back soon


Data files in http://feeds.dshield.org

The data files are tab delimited. They are ASCII files with each data record on a separateline. Each field is delimited with a TAB (ASCII 9) character. This makes it easy to separate the fields with a split command. See the sample code, below, for examples.

Field numbers start at 0.

Current Most Active Port Scanning IPs
http://feeds.dshield.org/top10-2.txt
(Same data as is used on DShield.org Top 10 Most Wanted.)

0 = IP Address
1 = Resolved domain of IP Address

Current Most Scanned Ports
http://feeds.dshield.org/topports.txt
(Same data as is used in DShield.org Top 10 Target Ports-temporarily unavailable.)

0 = Short Description
1 = Port that is accessed
2 = Protocol (TCP or UDP)
3 = Explanation

RSS Format
http://feeds.dshield.org/news.xml

Summary data in .RSS format.

Links to information about RSS. Opens in new windows

Sample PHP code

Additional information will be posted when available