Help on the ISC API

[Rob Janssen]

Hi!

I'm looking for a little help on the ISC API; specifically the following: Assume https://isc.sans.edu/api/ip/184.154.116.250

The values returned, amongst others, are (currently):

count   116512

attacks 37824

maxdate 2012-05-23

mindate 2012-05-02

updated 2012-05-23 22:57:23

Could anyone explain to me:

1. The meaning of attacks & count (specifically the difference)
   
2. The timezone of the dates. I have, sort of, determined/guessed that the timezone is probably EDT since, as far as I could determine, Sans is based in Bethesda, Maryland. Is this correct?
3. The "web-interface" version offers a way to refresh the data by adding &update=yes to the URL; is there also a possibility to do this via the API? Does it work in the same way?
4. Is there a limit (or maybe rate-limit) to the usage of this API?

I am (or we are) not planning on heavy usage of this API (not more than maybe a dozen queries per day), just to be clear. I'm just curious. We're planning to use this data as an *indicator* of abusive hosts.

Any help would be very much appreciated.

[Adam Swanger]

Howdy and thanks for the questions!

1. These numbers are summary calculations from our sensor submissions
for a particular IP.
Count = Total number of sensor log submissions between dates
Attacks = Unique number of sources logged between dates

2. Log data Time Zone is outlined here https://isc.sans.edu/specs.html#time_zone

3. I just checked and the import script cron is often to replenish
this data so your 12 queries a day should always be pulling updated
information.

4. Excessive hits will be automatically blocked by software but you
won't be anywhere near the threshold by the sounds of it.

I will work on putting up this descriptive information pertaining to
each sections on the main API page. Thanks again for the questions and
please let us know if you need any more information.
-adam

On May 24, 1:36 pm, Rob Janssen <janssen....@gmail.com> wrote:
> Hi!
>

> I'm looking for a little help on the ISC API <https://isc.sans.edu/api>;
> specifically the following: Assumehttps://isc.sans.edu/api/ip/184.154.116.250

>
> The values returned, amongst others, are (currently):
>
> count   116512
> attacks 37824
> maxdate 2012-05-23
> mindate 2012-05-02
> updated 2012-05-23 22:57:23
>
> Could anyone explain to me:
>

>    1. The meaning of attacks & count (specifically the difference)
>    2. The timezone of the dates. I have, sort of, determined/guessed that
>    the timezone is probably EDT<http://www.timetemperature.com/tzmd/bethesda.shtml>since, as far as I could determine, Sans is based in Bethesda, Maryland. Is
>    this correct?
>    3. The "web-interface<https://isc.sans.edu/ipinfo.html?ip=184.154.116.250>"

>    version offers a way to refresh the data by adding &update=yes to the URL;
>    is there also a possibility to do this via the API? Does it work in the
>    same way?

>    4. Is there a limit (or maybe rate-limit) to the usage of this API?

>
> I am (or we are) not planning on heavy usage of this API (not more than
> maybe a dozen queries per day), just to be clear. I'm just curious. We're

> planning to use this data as an **indicator** of abusive hosts.

[Rob Janssen]

Hi Adam,

Thanks for your quick response!

1. Clear. Simple as that. :P
2. Also clear. Would it be an idea to return the date as 2012-05-23 22:57:23Z to be more explicit on this?
3. Clear again; as long as the cron is running at least once or twice a day there's no need for me to "manually" force an update. I was just a little concerned that data might be stale for a week or so.
4. To be honest; while testing/developing we must have caused more hits (still < 200 I think). I don't think we'll be relying very heavily on this (indicator) data on a daily basis (we'll average out at < 1/2 queries/day over a month is my guesstimate) but, for stuff like DDOS'es or other stressfull times we might do a little more than 12 queries a day; who knows: maybe even a hundred or 2. But I don't think we'll belong to the "big guys" by a far cry and should we get "auto-blocked" then that's fine. Our system is perfectly able to cope with that. All we do is add "traffic lights" to "flagged hosts" and use this API, amongst a slew of other data, as one of the indicators of a host being a jerk or not :P

Again, thanks for the quick reply! ... Now... off to trash the EDT to UTC conversion from my code; the time already is in UTC/GMT so I outdid myself :P

With kind regards,

Rob Janssen

[Rob Janssen]

Hi!

I don't have an exact date, but is it possible that since some time the API has changed? The documentation for api/ip states:

https://isc.sans.edu/api/#ip:

<?xml version="1.0" encoding="UTF-8"?>

<ip>

 <number>70.91.145.10</number>

 <count>159</count>

 <attacks>5</attacks>

 <maxdate>2011-09-12</maxdate>

 <mindate>2011-03-09</mindate>

 <updated>2011-09-12 14:51:16</updated>

 <country>US</country>

 <as>33489</as>

 <asname>Some Internet Service Provider</asname>

 <network>70.91.144.0/21</network>

 <comment>some user provided comment</comment>

</ip>

What I'm actually seeing is:

https://isc.sans.edu/api/ip/70.91.145.10:

<ip>

    <ip>

        <number>070.091.145.010</number>

        <count>148</count>

        <attacks>1</attacks>

        <maxdate>2014-03-06</maxdate>

        <mindate>2014-02-05</mindate>

        <updated>2014-03-06 05:13:37</updated>

    </ip>

    <abusecontact>unknown</abusecontact>

    <number>70.91.145.10</number>

    <country>US</country>

    <as>33489</as>

    <asname>COMCAST-33489 - Comcast Cable Communications, Inc.</asname>

    <network>70.91.144.0/21</network>

    <comment/>

</ip>

I am actually using the JSON output but this is giving me trouble since the deserialized object (in PHP) now has an unnamed property and results in a mixture of an object/array kind of thing:

array(1) {

  ["ip"]=>

  array(8) {

    [0]=>

    array(6) {

      ["number"]=>

      string(15) "070.091.145.010"

      ["count"]=>

      string(3) "148"

      ["attacks"]=>

      string(1) "1"

      ["maxdate"]=>

      string(10) "2014-03-06"

      ["mindate"]=>

      string(10) "2014-02-05"

      ["updated"]=>

      string(19) "2014-03-06 05:13:37"

    }

    ["abusecontact"]=>

    string(7) "unknown"

    ["number"]=>

    string(12) "70.91.145.10"

    ["country"]=>

    string(4) " US "

    ["as"]=>

    string(6) "33489 "

    ["asname"]=>

    string(51) " COMCAST-33489 - Comcast Cable Communications, Inc."

    ["network"]=>

    string(16) " 70.91.144.0/21 "

    ["comment"]=>

    NULL

  }

}

I can work around this or use the XML feed or find some other creative way to fix this but I'm wondering if, maybe, this "nested" <ip> element is a glitch/bug that will be fixed/reverted to what it was or if it will stay this way and thus requires me to do something to fix this.

[Johannes B. Ullrich Ph.D.]

Should be fixed now. Let me know if it works for you.

Thanks for reporting this!

> --
> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "SANS Internet Storm Center / DShield" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to iscdshield+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

——————-
Welcome the New Year by turbo-charging your cybersecurity skills! Choose from 10 hands-on immersion courses taught by SANS’ top instructors. Register today for SANS Security East 2014 in New Orleans, January 20-25. http://www.sans.org/info/144222


Johannes B. Ullrich, Ph.D., GIAC GCIA & GWEB, SANS Technology Institute, (757) 726 7528, twitter: johullrich; http://isc.sans.edu

[RobIII]

Jup, seems to be fixed (or back to what it used to be at least). This should fix my problem, won't know for sure till monday but I don't see why not.

Thanks!

[Rob Janssen]

And now I can "confirm officially": works for me :-)

You received this message because you are subscribed to a topic in the Google Groups "SANS Internet Storm Center / DShield" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/iscdshield/JB8HnFHJDbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to iscdshield+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.