New SANS DShield App..and other free data sources for security

Quick update in the world of security-related Apps for Splunk. Last week, one of the good folks affiliated with SANS, Bojan Zdrnja, created a cool, free “DShield for Splunk” app and put it up on Splunkbase at:

For those of you unfamiliar with DShield, it is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center (ISC).  Detail on the app is on Bojan’s blog posting at:

In his words “The application downloads the DShield data (the published All Sources IPs dump) once per day and indexes it into your local Splunk. Once the data has been indexed you can do all sorts of analytics and show top attackers, top attacked ports, their geographical information and much more”. Very cool stuff!! I suggest you download it and give it a try to see if indeed your org is sending/receiving data to/from these blacklisted IPs. Especially smaller organizations that may not be subscribing to the IP blacklist feeds from the likes of Symantec, McAfee, etc.


And speaking of free feeds/data that you can weave into a Splunk security deployment, some other ones we see customers leveraging include the ones below: (more info on the various DShield feeds is here) (In their words: Project Honey Pot is a distributed network of decoy web pages website administrators can include on their sites in order to gather information about robots, crawlers, and spiders. We collate data on harvesters, spammers, dictionary attackers, and comment spammers. We make this data available to our members in order for them to protect their websites and inboxes.) (In their words: US-CERT is the 24-hour operational arm of the Department of Homeland Security’s National Cyber Security Division (NCSD). Through its 24×7 operations center, US-CERT accepts, triages, and collaboratively responds to incidents; provides technical assistance to information system operators; and disseminates timely notifications regarding current and potential security threats and vulnerabilities.) (cooperative listing of viruses reported as being in the wild by virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant.) (List of datacenters. In other words, IP addresses that end web consumers should not be using)

For more info on how to weave external feeds into Splunk, go to the Documentation page below and type in “external lookup”

Happy Splunking!

Joe Goldberg

Joe Goldberg

Posted by


Join the Discussion