Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: ISC Feature of the Week: Internet Storm Center / DShield API - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Feature of the Week: Internet Storm Center / DShield API

This is a follow-on to last week's How to Submit Firewall Logs feature ( This week we detail how to access data with the DShield API and its components. Last week was the HOW, this week highlights the WHY you should setup a DShield log submission script.

Our API gives you a look at detail and summary data from the DShield system plus a few extras from ISC! In order to make accessing all this data easier, the API interface you can use manually or script. Be careful, repeated excessive access might get ya locked out so please use responsibly. :)

There are four(4) output formats (xml, json, text, php) available by adding ?[format] to the end of the API url. For example if you want plain text to parse in a script, you would add ?text like

The main page lists all the functions, parameters and description Here's a quick list of what's currently available.

  1. backscatter - only includes "syn ack" data and is summarized by source port
  2. handler - current Handler of the Day
  3. infocon - current infocon level
  4. ip - summary info of a given IP
  5. port - summary info of a given port
  6. portdate - summary for a given port on a given date
  7. topports - summary info for top ports on a given date
  8. topips - summary info for top IPs on a given date
  9. porthistory - summary info per port for a given date range

As a bonus, Dr. J will be highlighting the API as part of this months ISC Threat Update at (If you miss the live broadcast, you can watch the recording at a later time)

You can leave comments in the section below or send any questions or comments in the contact form

Adam Swanger, Web Developer (GWEB)
Internet Storm Center (


86 Posts
Jan 11th 2012
If you use CIF ( than the Dshield lists will be automatically available along with dozens of other blacklists via your local CIF's API. That's a big deal, because with one query, your scripts and devices can check unlimited blacklists at the same time, including custom internal ones you build yourself.

Sign Up for Free or Log In to start participating in the conversation!