Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Apple Security Update: APPLE-SA-2012-11-29-1 Apple TV 5.1.1

ISC Feature of the Week: SSH Scan Reports

Published: 2012-11-29
Last Updated: 2012-11-29 21:29:17 UTC
by Adam Swanger (Version: 1)
2 comment(s)

Overview
Our feature this week introduces Dr. Ullrich's newest system addition addressing wide spread reports of SSH scans. This system collects logs you submit via a special API URL. We keep receiving reports from readers about wide spread ssh scans. This system was setup to get a better handle on these scans. http://isc.sans.edu/sshreports.html Reporting will be released as soon as there is enough information collected.

Features

  • Reports are "POST"ed to https://isc.sans.edu/api/sshreports
  • Parameters are userid, authkey, data(tab-delimited log data)
  • XML status OK returned on successful submission
    • This only accepts data. Validation and processing are done at a later time


There is currently a PERL script to collect data from the "kippo" honeypot available at https://isc.sans.edu/kipposcript.pl

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

Keywords: ISC feature
2 comment(s)
ISC StormCast for Thursday, November 29th 2012 http://isc.sans.edu/podcastdetail.html?id=2971
Diary Archives