Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC Feature of the Week: SSH Scan Reports

Published: 2012-11-29
Last Updated: 2012-11-29 21:29:17 UTC
by Adam Swanger (Version: 1)
2 comment(s)

Our feature this week introduces Dr. Ullrich's newest system addition addressing wide spread reports of SSH scans. This system collects logs you submit via a special API URL. We keep receiving reports from readers about wide spread ssh scans. This system was setup to get a better handle on these scans. Reporting will be released as soon as there is enough information collected.


  • Reports are "POST"ed to
  • Parameters are userid, authkey, data(tab-delimited log data)
  • XML status OK returned on successful submission
    • This only accepts data. Validation and processing are done at a later time

There is currently a PERL script to collect data from the "kippo" honeypot available at

Post suggestions or comments in the section below or send us any questions or comments in the contact form on
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center

Keywords: ISC feature
2 comment(s)
Diary Archives