Howdy and thanks for the questions!
1. These numbers are summary calculations from our sensor submissions
for a particular IP.
Count = Total number of sensor log submissions between dates
Attacks = Unique number of sources logged between dates
2. Log data Time Zone is outlined here
https://isc.sans.edu/specs.html#time_zone
3. I just checked and the import script cron is often to replenish
this data so your 12 queries a day should always be pulling updated
information.
4. Excessive hits will be automatically blocked by software but you
won't be anywhere near the threshold by the sounds of it.
I will work on putting up this descriptive information pertaining to
each sections on the main API page. Thanks again for the questions and
please let us know if you need any more information.
-adam
> I'm looking for a little help on the ISC API <
https://isc.sans.edu/api>;
> specifically the following: Assumehttps://
isc.sans.edu/api/ip/184.154.116.250
>
> The values returned, amongst others, are (currently):
>
> count 116512
> attacks 37824
> maxdate 2012-05-23
> mindate 2012-05-02
> updated 2012-05-23 22:57:23
>
> Could anyone explain to me:
>
> 1. The meaning of attacks & count (specifically the difference)
> 2. The timezone of the dates. I have, sort of, determined/guessed that
> the timezone is probably EDT<
http://www.timetemperature.com/tzmd/bethesda.shtml>since, as far as I could determine, Sans is based in Bethesda, Maryland. Is
> this correct?
> 3. The "web-interface<
https://isc.sans.edu/ipinfo.html?ip=184.154.116.250>"
> version offers a way to refresh the data by adding &update=yes to the URL;
> is there also a possibility to do this via the API? Does it work in the
> same way?
> 4. Is there a limit (or maybe rate-limit) to the usage of this API?
>
> I am (or we are) not planning on heavy usage of this API (not more than
> maybe a dozen queries per day), just to be clear. I'm just curious. We're
> planning to use this data as an **indicator** of abusive hosts.