ISC Feature of the Week: SSH Scan Reports
Overview
Our feature this week introduces Dr. Ullrich's newest system addition addressing wide spread reports of SSH scans. This system collects logs you submit via a special API URL. We keep receiving reports from readers about wide spread ssh scans. This system was setup to get a better handle on these scans. http://isc.sans.edu/sshreports.html Reporting will be released as soon as there is enough information collected.
Features
- Reports are "POST"ed to https://isc.sans.edu/api/sshreports
- Parameters are userid, authkey, data(tab-delimited log data)
-
XML status OK returned on successful submission
- This only accepts data. Validation and processing are done at a later time
There is currently a PERL script to collect data from the "kippo" honeypot available at https://isc.sans.edu/kipposcript.pl
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu
Comments
I have it configured for 1 try and 10 minute ban.
PaulOutBox
Nov 30th 2012
1 decade ago
Dr. J.
Nov 30th 2012
1 decade ago