Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ISC Feature of the Week: Internet Storm Center / DShield API - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Feature of the Week: Internet Storm Center / DShield API

This is a follow-on to last week's How to Submit Firewall Logs feature (https://isc.sans.edu/diary/ISC+Feature+of+the+Week+How+to+Submit+Firewall+Logs/12316). This week we detail how to access data with the DShield API and its components. Last week was the HOW, this week highlights the WHY you should setup a DShield log submission script.

Our API gives you a look at detail and summary data from the DShield system plus a few extras from ISC! In order to make accessing all this data easier, the API interface you can use manually or script. Be careful, repeated excessive access might get ya locked out so please use responsibly. :)

Overview
There are four(4) output formats (xml, json, text, php) available by adding ?[format] to the end of the API url. For example if you want plain text to parse in a script, you would add ?text like http://isc.sans.edu/api/handler?text

The main page lists all the functions, parameters and description https://isc.sans.edu/api/ Here's a quick list of what's currently available.

Functions
  1. backscatter - only includes "syn ack" data and is summarized by source port
  2. handler - current Handler of the Day
  3. infocon - current infocon level
  4. ip - summary info of a given IP
  5. port - summary info of a given port
  6. portdate - summary for a given port on a given date
  7. topports - summary info for top ports on a given date
  8. topips - summary info for top IPs on a given date
  9. porthistory - summary info per port for a given date range

As a bonus, Dr. J will be highlighting the API as part of this months ISC Threat Update at https://www.sans.org/webcasts/isc-threat-update-20120111-94999 (If you miss the live broadcast, you can watch the recording at a later time)


You can leave comments in the section below or send any questions or comments in the contact form isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)

AdamS

86 Posts
If you use CIF (http://code.google.com/p/collective-intelligence-framework/) than the Dshield lists will be automatically available along with dozens of other blacklists via your local CIF's API. That's a big deal, because with one query, your scripts and devices can check unlimited blacklists at the same time, including custom internal ones you build yourself.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!