Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: How to contribute your data to DShield / ISC - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How to contribute your data to DShield / ISC
The Internet Storm Center relies heavily on firewall data, to obtain an accurate measure of current Internet threats. It is in particular important to collect data from very diverse submitters, not just from a few large submitters. If you are not already submitting data, here a few tips on how to get started:

First of all: No submitter is too small. In particular cable modem / DSL user data is frequently the most interesting. We can always use more home users submitting data.

If you are able to submit from a large network, try to pick a few IP addresses and only send data from these IP addresses (e.g. a /24). A simple 'grep' may be all thats needed to filter the data, and our prewritten clients can help you with that.

We are interested in rejected packets from the outermost firewall you have access to. All rejected packets that originate from outside of your network are of interest.

We do accept logs via e-mail. It is recommended that you submit your logs about once an hour, but not less then once a day. We do provide a number of scripts to automated the process.

The best reference to get you started is As a quick summary:
  • Windows Users
The most popular script for Windows users is 'cvtwin'. This little taskbar application can collect logs from many sources. It also supports the Kiwi syslog daemon if you are using an appliance which sends logs via SNMP.
  • Unix Users
For unix users, we do have a little perl script "". This script parses your log (e.g. from /var/log/messages) and can be configured to filter and anonymize records. It comes with a number of "parser functions" for different log formats.
  • Others
We started to support a few appliances which are able to send logs via e-mail directly. Please see see the howto page for details. This part is still experimental.
You may also write your own script. Our format is a very simple tab delimited text file. For details, see

We do provide a number of customized analysis features for submitters, which are accessible via For a Demo, see our demo-account.I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4510 Posts
ISC Handler
Sep 18th 2005

Sign Up for Free or Log In to start participating in the conversation!