[SANS ISC] Updates to Our Datafeeds/API, (Thu, Sep 9th)

Most of the data we are collecting is freely available via our API. For quick documentation, see https://isc.sans.edu/api. One particular popular feed is our list of “Researcher IPs.” These are IP addresses connected to commercial and academic projects that scan the internet. These scans can account for a large percentage of your unsolicited inbound activity. One use of this feed is to add “color to your logs” by enriching your log data from this feed. 

The simplest way to get the feed is via https://isc.sans.edu/api/threatcategory/research. By default, you will receive XML formatted data. But add “?json” to the URL for JSON or “?tab” for a tab-delimited plain text file. Other options are available (see the page I linked to above).

You may also explore the feeds at https://isc.sans.edu/threatmap.html

Currently, the feed lists almost 6,000 IP addresses. But many of them are from specific networks, and you may be able to aggregate them (and aggregated feed is coming…).

Another feed that we are experimenting with is a feed of newly registered domains. Sadly, not all top-level domains make the data available (in particular country domains often don’t). You can retrieve this feed via 

https://isc.sans.edu/recentdomains (you can also add a date to look for new domains from a specific day. For example, https://isc.sans.edu/api/recentdomains/2021-02-01 ). This feed is experimental, and performance may be slow at times. 

Probably the best “enrichment” feed we have is our “Intelfeed.” For each IP address, you will see labels associated with that IP address.


I need to document the labels better (maybe later today. Watch http://isc.sans.edu/api for an update)

How to Use These Data Feeds Responsibly

First of all, be gentle on our servers. I recommend you pull the data once or twice a day. The data should not change more than once a day. Download the entire data and import it into your local database for lookups of individual IPs.

Please use a custom user agent that includes contact information. We do not require authentication to use any of the data (considering it for the future…), but we need to get a hold of you in case your requests cause a problem. Otherwise, you may find yourself blocked. We do block some standard python user agents for that reason (for people who do not read manuals 🙁 ). 

Do not use the data as a blocklist. The data is provided on a “best-effort” basis. It may, for example, include IP addresses of cloud proxies like Cloudflare, and you may block specific IPs. I don’t want my phone to ring off the hook again because some federal agency decides to block IPs based on our data just ahead of a big filing deadline, and users cannot connect to their site.

You may use the data to protect your own network, commercial or not. But you may not resell it (don’t resell something you didn’t pay for 🙂 ).

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2020-10-23

Inhimillinen virhe, haittaohjelma vai jotakin muuta? Kysyimme asiantuntijalta, miten Vastaamon järkyttävä tietomurto oli mahdollinen yle.fi/uutiset/3-11611051 Vuodon taustalla voi olla inhimillinen virhe ylläpidossa, joka on mahdollistanut tietomurron. Silloin järjestelmän ylläpitäjä olisi esimerkiksi paljastanut järjestelmästä sellaisia osia, joiden avulla hyökkääjä on voinut ohittaa suojauksia. Se ei kuitenkaan ole ainoa vaihtoehto, Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen erityisasiantuntija Perttu Halonen […]

Read More

[SecurityWeek] Combating the Surge in Retail Theft and E-Commerce Fraud With Open Source Intelligence

All posts, Security Week

Retailers have recently experienced a significant increase in the theft of goods from their physical locations. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2021-08-21

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.