This is a follow-on to last week's How to Submit Firewall Logs feature (https://isc.sans.edu/diary/ISC+Feature+of+the+Week+How+to+Submit+Firewall+Logs/12316). This week we detail how to access data with the DShield API and its components. Last week was the HOW, this week highlights the WHY you should setup a DShield log submission script.

Our API gives you a look at detail and summary data from the DShield system plus a few extras from ISC! In order to make accessing all this data easier, the API interface you can use manually or script. Be careful, repeated excessive access might get ya locked out so please use responsibly. :)

Overview
There are four(4) output formats (xml, json, text, php) available by adding ?[format] to the end of the API url. For example if you want plain text to parse in a script, you would add ?text like http://isc.sans.edu/api/handler?text

The main page lists all the functions, parameters and description https://isc.sans.edu/api/ Here's a quick list of what's currently available.

Functions
  1. backscatter - only includes "syn ack" data and is summarized by source port
  2. handler - current Handler of the Day
  3. infocon - current infocon level
  4. ip - summary info of a given IP
  5. port - summary info of a given port
  6. portdate - summary for a given port on a given date
  7. topports - summary info for top ports on a given date
  8. topips - summary info for top IPs on a given date
  9. porthistory - summary info per port for a given date range

As a bonus, Dr. J will be highlighting the API as part of this months ISC Threat Update at https://www.sans.org/webcasts/isc-threat-update-20120111-94999 (If you miss the live broadcast, you can watch the recording at a later time)

You can leave comments in the section below or send any questions or comments in the contact form isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)