Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional "summary feeds" that include all data recently received. You may download these feeds and import them in your database of choice (or grep the text file for records). This will make bulk lookups a lot easier and faster.

For more details and continuing updates, see, https://isc.sans.edu/feeds_doc.html

I will gladly add more feeds as needed. Please let me know via our contact page if you run into errors.

We do often get requests for commercial use of our data. Our data is published under a "Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International" license. You may use the data if you attribute it to us and do not resell it. We are okay with you using the data in a SOC at a commercial enterprise to help you defend your organization.

If you find it helpful: Let us know. Tell us what works and does not work. The simplest way to help us out is to run one of our honeypots and tell us what works or doesn't work with it. Please do not ask us to remove data because you consider it a false positive. False positives are part of the game, and while we will gladly add comments to some of the data, we do not remove data as it may distort it for other research tasks.

But enough about data feeds. Today, we also had a recurrence of an attack I hadn't seen in a while. This "incident" started with some of our handlers receiving a request to update a link in an older podcast:

The e-mail looked reasonable at first, and we do not mind corrections. URLs change. But in this case, it turned out to be a fake request. The email did not originate from EFF. Ok, sometimes organizations use marketing firms, and they may not be competent enough to use the customer's e-mail domain. But this was certainly a fake update request. The original URL still works. It just redirects to another page at EFF.org. The "academized.com" page, as far as I can tell, is not related to EFF at all. The content matches the EFF page, but it belongs to an "Essay Writing Service", a type of business we do not want to link to being part of a reputable academic institution. These businesses are hurting these days due to AI tools doing a better/cheaper job. In the past, paper writing services have also often used comment spam to advertise.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|