All I want this Tuesday: More Data
We are making more and more data available via our API. Couple things just added:
- A combined "Threatintel" feed that includes basic categories of notable IPs
- A list of subnets used by prominent cloud providers
First a few reminders about our API:
You may use data from our API for free. This includes the use in commercial networks. We only ask you to talk to us about licensing if you are reselling the data as part of a product. For example, if you include this data in your own data feeds and you are charging money for the feed.
At this point, we are not asking for any kind of authentication. We are doing minimal tracking and do not care who is downloading the data. However, we may block users who we feel abuse the data. We will try to contact you if you include contact information in your user agent and it is possible that we will block certain "generic" user agents. Best to customize the user agent somehow.
What I do ask for in exchange for using these feeds:
- provide feedback. Let us know how you use these feeds, and please let us know about problems (see our contact page)
- Consider contributing data via our honeypot.
The use case I am envisioning for the data is to include it in a SIEM or other log monitoring products to add "color" to the IP address. It may be useful to know that the IP attacking you is just "yet another infected bot".
WE DO NOT RECOMMEND THE USE OF OUR DATA AS A SIMPLE BLOCK LIST
Our data includes false positives. I see it as a feature as false positives is also something we continuously learn from. For example when it comes to DoS attacks, or artifacts of firewalls blocking "odd" packets. Best case: If you are blocking based on our "Top 100" list, you are blocking a bunch of bots that scan for vulnerabilities you are hopefully not susceptible to. And if you are vulnerable to any of them: There are bot number 101-123183849 that will still get you.
Our API offers data in different formats. Just add the format specifier to the URL. For example "?json" for JSON which is probably now the preferred output format.
Back to the new datafeeds I added:
"Intelfeed" https://isc.sans.edu/api/intelfeed
A lot of organizations like to ingest random feeds of "threatintel" data. This feed is trying to extract some notable data from across our different collections. It includes for port scanners detected by out DShield sensors, hosts scanning for web vulnerabilities and ssh brute force bots reported by our honeypots and data from various other feeds we are collection. A quick snippet:
{
"ip": "1.119.147.51",
"description": "DShield Ports: 65529,16379,6379,22,1433"
},
{
"ip": "1.119.195.58",
"description": "dshieldssh"
},
{
"ip": "1.160.6.79",
"description": "talos"
},
{
"ip": "5.11.11.10",
"description": "tldns"
},
- The first IP is a host scanning various ports based on our DShield data (I only include hosts that hit several target IPs to limit the size of the feed).
- The second IP scans for SSH servers
- The third IP is included in the Talos IP blocklist
- Finally, 5.11.11.10 is a name server for a top level domain (don't block these! ;-) )
The number of categories is likely going to increase.
Cloud IPs https://isc.sans.edu/api/cloudips
This is a simple feed including prefixes used by major cloud providers. Right now, it includes AWS, Azure, Google and Oracle with more to come. This one is pretty straight forward.
These feeds are only as good as you make them. Feedback is very welcome. Please use our Contact Page for feedback.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago