The primary objective of the SISSDEN project is to offer National CERTs, ISPs and network owners free reports on malicious activity detected on their networks. This is achieved through the establishment of a network of honeypots.
As of the 20th of December 2018, SISSDEN is offering 5 new report types, 4 of which are created from honeypot deployments and 1 from a network telescope (darknet) deployment. The full list of new SISSDEN reports is as follows:
- The Brute Force report
- The HTTP Scanner report
- The ICS Scanner report
- The Amplificaton DDoS Victim report
- The Darknet report
Since blogging about those, there has been a change in one of the feeds going out as of yesterday (19th December 2018). The Brute Force report feed from above has been enriched to go beyond collecting just SSH and telnet related data. It now includes brute force attempts against numerous other services such as: VNC, IMAP, SMTP, POP3, FTP etc.
Additionally, something we have not blogged about before: since August 2018 we have also been offering feeds coming from our spampot deployments, which have served to enrich the Spam-URL report offered by Shadowserver. This includes data from spam messages that have a URL embedded in them. Note that this does not mean that these URLs in themselves are necessarily malicious.
The data fields being offered as part of the pre-existing Spam-URL feed can be found below:
|timestamp||Timestamp of the message|
|url||URL that was extracted from a Spam message|
|host||Hostname of the URL location|
|ip||IP of the URL|
|asn||ASN where the IP resides|
|geo||Country location of the IP|
|region||Regional location of the IP|
|city||City location of the IP|
|subject||Subject of the Spam message|
|src||IP address of the Spam relay that delivered the message (last hop)|
|src_asn||ASN of the relay IP|
|src_geo||Country location of the Spam relay|
|src_region||Regional location of the Spam relay|
|src_city||City location of the Spam relay|
|sender||Sender email address if available|
|source||Source of information, if public|
Events from the Spam-URL report that come from SISSDEN have their source marked as "SISSDEN".
Information from all the above listed SISSDEN based reports is sent out on a daily basis via Shadowserver’s free victim remediation feeds (including to 95+ National CSIRTs, 4200+ network owners Worldwide).If you are a network owner or CSIRT and wish to receive reports from SISSDEN you can either subscribe directly to Shadowserver's feeds or do so through the SISSDEN Customer Portal, which was recently made available. Existing Shadowserver subscribers will receive all the above reports automatically on a daily basis without the need of resubscribing.