Using Our Data Feeds - SANS Internet Storm Center

Handler on Duty: Johannes Ullrich

Threat Level: green

Using DShield's Data Feeds

Use of data premitted with attribution: SANS Technology Institute, Internet Storm Center, https://isc.sans.edu (you may feel free to change the format of the attribution according to your guidelines). Do not resell the data. Other commercial uses are allowed. For more details, send an email to handlers at isc.sans.edu.

More granular data is available via our API. But whenever possible, these static feeds should be used. Avoid downloading the data more than once an hour.

Top of page

Top IP Addresses

https://feeds.dshield.org/feeds/topips.txt: Top 100 IP addresses and hostnames.
https://feeds.dshield.org/feeds/top10.txt: Just IPs. No hostnames
https://feeds.dshield.org/feeds/block.txt: Top 20 most active networks
https://feeds.dshield.org/feeds/daily_sources: Daily summary of all source IPs

Top Ports

https://feeds.dshield.org/feeds//topports.txt: Top 10 Ports (from firewall logs)
https://feeds.dshield.org/feeds//topports_source.txt: Top 10 Ports sorted by number of source IPs scanning(from firewall logs)
https://feeds.dshield.org/feeds//topports_reports.txt: Top 10 Ports sorted by number of reports received (from firewall logs)
https://feeds.dshield.org/feeds//topports_targets.txt: Top 10 Ports sorted by number of target IPs reporting (from firewall logs)

SSH Logs

Each day, a file is created summarizing the activity of the day before. See https://feeds.dshield.org/feeds/ssh_daily_2025-03-21 (date in YYYY-MM-DD format)
The data includes the source IP addresses, usernames, and passwords.

Web Honeypot Data

These feeds are updated once a day. URLs are reproduced "AS IS" and not encoded.

https://isc.sans.edu/feeds/urlsummary.txt: URL Summary. All URLs seen, when they were first and last seen and how often.
https://isc.sans.edu/feeds/urlcategories.txt: URL Category Summary. All URLs for which we assign a category/type (= more vulnerability information)

Threatintel feeds

We make a dump of our database available that includes all the labels we associate with an IP address.
https://feeds.dshield.org/feeds/ipthreatintel.txt.