{"target":{"protocol":"tcp","port":445,"ip":"213.32.78.78"},"data":{"payload":"\x00\x00\x00\x85\xffSMBr\x00\x00\x00\x00\x18S\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00@\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00"},"origin":{"ts":1543620834696,"ip":"142.4.193.169","type":"sinkhole","client_id":"sinkhole"}}
balgan
commented
5 years ago
This feature enables access to our listener data. This means we can identify IP addresses which are scanning or doing requests.
With this data its possible to:
Example events:
{"origin":{"type":"sinkhole","ts":1543620828902,"client_id":"sinkhole","ip":"116.31.116.9"},"target":{"ip":"172.104.186.81","port":22,"protocol":"tcp"},"data":{"payload":"\x00\x00\x02\x84\x07\x14u\xbb\x8bI\xc7\x17V\xd1R\xaf\xd8\x98{\xc2J\xc0\x00\x00\x00Ydiffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\x00\x00\x00\x0fssh-rsa,ssh-dss\x00\x00\x00\x92aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\x00\x00\x00\x92aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\x00\x00\x00Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\x00\x00\x00Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\x00\x00\x00\x04none\x00\x00\x00\x04none\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\xf5W\xc8]\xddX","extra":{"ssh":{"hassh_algorithms":"diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc;hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com;none","hassh":"92674389fa1e47a27ddd8d9b63ecd42b"}}}}
{"target":{"protocol":"tcp","port":445,"ip":"213.32.78.78"},"data":{"payload":"\x00\x00\x00\x85\xffSMBr\x00\x00\x00\x00\x18S\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00@\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00"},"origin":{"ts":1543620834696,"ip":"142.4.193.169","type":"sinkhole","client_id":"sinkhole"}}
{"target":{"ip":"47.106.200.110","port":5060,"protocol":"udp"},"data":{"payload":"REGISTER sip:47.106.200.110 SIP/2.0\r\nVia: SIP/2.0/UDP 195.154.49.119:4040;branch=z9hG4bK1713871061\r\nMax-Forwards: 70\r\nFrom: \"47106200110\" sip:47106200110@47.106.200.110;tag=799463280\r\nTo: \"me\" sip:me@47.106.200.110\r\nCall-ID: 1491721404-394118509-1512312112\r\nCSeq: 1 REGISTER\r\nContact: sip:47106200110@195.154.49.119:4040\r\nExpires: 3600\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO\r\nUser-Agent: pplsip\r\nContent-Length: 0\r\n\r\n"},"origin":{"ip":"110.185.170.198","client_id":"sinkhole","type":"sinkhole","ts":1543620995572}}
{"target":{"port":502,"ip":"213.219.39.228","protocol":"tcp"},"data":{"payload":"GET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nHost: 213.219.39.228:502\r\nConnection: Keep-Alive\r\n\r\n"},"origin":{"type":"sinkhole","ts":1543621097552,"ip":"37.49.231.146","client_id":"sinkhole"}}