Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Updated Daily Sources Feed - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated Daily Sources Feed

I updated and cleaned up a bit our "daily sources" feed. This feed is created around 4am GMT daily, and includes a summary of all the source IPs for which we received reports the prior day.

you can retrieve the feed at http[s]://

The link is not click-able for a reason: its 70MBytes (varies from day to day of course). I recommend a tool like curl/wget to download it once a day. Its usually created around 4am GMT, so pull it at 4:30-5:30am GMT to get it "fresh and warm".

Its a plain tab delimited ASCII file. Comments (e.g. header/footer) are indicated by a '#' as first character. The columns are:

- IP Address (we use our "sortable" 0 padded format... -> ).
- targetport.
- protocol.
- reports (each "packet" counts as one report).
- targets (each distinct target IP reporting this particular source IP / port combination counts as one).
- first seen: the time (UTC) of the first packet we received for this source/port.
- last seen: the time (UTC) for the last packet we received for this source/port.

NOTE! This is not a "blocklist". It needs further processing to be used as such. The data is distributed under a "Creative Commons Share Alike" license. You may use it for non-commercial use for free as long as you attribute DShield or the SANS Internet Storm Center as the source of the data. We always like to hear how our data is used.




I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Oct 15th 2007

Sign Up for Free or Log In to start participating in the conversation!