We keep receiving reports from readers about wide spread ssh scans. To get a better handle on these scans, we setup a system to collect logs from this scan. Currently, we got a perl script that will collect data from the "kippo" honeypot, an excellent tool to collect data about ssh scans. You may however submit logs from other tools as long as you do so in the correct format. The logs are posted to a special API URL, "https://isc.sans.edu/api/sshreports". The API is available via http for testing, but we highly recommend the use of https as you will have to submit your credentials with your report.

Log Format

As mentioned, the report is "POST"ed to the URL above. The following parameters are required:

  • userid: Your numeric DShield userid. See the "Report Parameter" section of the "My Information" page lists the userid.
  • authkey:The authentication key from the "My Information" page for details.
  • data: The tab delimited log data. Each line includes:
    date<tab>time<tab>timezone offset<tab>source IP<tab>username<tab>password
    Sample:
    2012-11-25 02:04:27 +0000 220.165.28.66 root t3Rr!_
  • If the submission is accepted, you will get the folliwng XML response:
    <?xml version="1.0" encoding="UTF-8"?>
    <sshpost>
    <status>ok</status><userid>12345</userid>
    </sshpost>
    

    Note that submissions are imported in our database once an hour. At that time, the autentication key is verified. The response above just inidcates that your sumbmission included a correectly formated userid field and authentication key.

    Example perl script to submit kippo logs