DShield - Using DShield's Data Feeds

Virginia Tech DShield
Distributed Intrusion Detection System

Using DShield's Data Feeds

Be proactive. You can incorporate DShield summaries in your own web pages so your page can also display the "Current Most Active Attacking IP" or the Current Most Scanned Port". Also see the Link Back page for DShield banner graphics.
How to do it

There are several methods you can choose from. The general idea is that you use some code that can read from one of the summary data files that we supply at http://feeds.dshield.org, parse the records into data fields and then display the data fields you choose surrounded by whatever explanatory text you want. See the sample code section, below.
"Live" Graphics

This graphic is updated once an hour with the latest top attacker information. Use this code to display the above graphic. (But if you are a high traffic site, please download the graphic from a cron job once an hour.)
<map name="DSMap0"> <area href="http://dshield.cirt.vt.edu/top10.html" shape="rect" coords="61, 15, 300, 30"> <area href="http://dshield.cirt.vt.edu/topports.html" shape="rect" coords="61, 31, 300, 47"> <area href="http://dshield.cirt.vt.edu/" coords="0, 0, 468, 60" shape="rect"> </map> <img border="0" src="http://dshield.cirt.vt.edu/images/dshield_live_banner.png" usemap="#DSMap0" alt="" width="468" height="60">

Data files in http://feeds.dshield.org

The data files are tab delimited. They are ASCII files with each data record on a separateline. Each field is delimited with a TAB (ASCII 9) character. This makes it easy to separate the fields with a split command. See the sample code, below, for examples.
Field numbers start at 0.
Current Most Active Attacking IPs
http://dshield.cirt.vt.edu/feeds/top10-2.txt
(Same data as is used on DShield.org Top 10 Most Wamted.)
0 = IP Address
1 = Resolved domain of IP Address
Current Most Scanned Ports
http://dshield.cirt.vt.edu/feeds/topports.txt
(Same data as is used in DShield Top 10 Target Ports.)
0 = Short Description
1 = Port that is accessed
2 = Protocol (TCP or UDP)
3 = Explanation

RSS Format
http://dshield.cirt.vt.edu/feeds/news.xml

Summary data in .RSS format.
Links to information about RSS.

Using RSS Feeds
Official RSS spec
UserLand explanation of the RSS 0.91 spec
Making Headlines with RSS
RSS: Lightweight Web Syndication
O'Reilly RSS DevCenter

Meerkat: An Open Wire Service

Sample PHP code

To have your page display
Current most scanned port from Virginia Tech DShield is 47808 udp(17)
include this code in your page. Adjust to taste. You probably should add better error checking. (It doesn't handle "file not found" too gracefully.)

<?php /* Reads the topports.txt file from http://feeds.dshield.org and displays first two fields of the first record. The records are TAB (ASCII character 9) delimited. 0 = Short Description 1 = Port that is accessed 2 = Protocol (tcp or udp) 3 = Extended Description */ $fname = "http://dshield.cirt.vt.edu//feeds/topports.txt"; $topport = "not currently available, alas."; $topproto = ""; $fd = fopen($fname, "r"); if ($fd) { if (!feof ($fd)) { $buffer = fgets($fd, 4096); $field = split(chr(9), trim($buffer)); $topport = "$field[1]"; $topproto = "$field[2]"; } fclose($fd); } echo ("Current most scanned port from <a href=\"http://dshield.cirt.vt.edu\">Virginia Tech DShield</a> is $topport $topproto"); ?>

To display the Current Most Attacking IP, use the same code, but substitute top10.txt for topports.txt. To display the entire list, modify the code to loop through the entire data file, rather than just reading the first record. Have it your way.
Your web server must support PHP. See http://www.php.net for more information, including excellent on-line documentation.

[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]

last update: 07/Nov/2009 07:29
DShield is a Servicemark of Euclidian Consulting