Deutsch | English

Data feeds

CERT.at Data feeds

CERT.at sends out daily mails containing data breach notifications, reports on vulnerable systems or other mis-use on the Internet to network owners. The following page describes these data feeds.

Current Version: 1.2

Overview

Our data feeds are structured in a uniform way and try to answer the following questions:
  • When did something happen (time.source field)?
  • What happened (classification.*, feed)?
  • Where did it happen (source.ip, source.asn, source.url, protocol.*, destination.* fields)?
  • How did it happen and where can I read more about it? (event_description.*, feed.documentation fields )

We will call one entry in the data feed (e.g. one log line) an event. In order to categorize the event, CERT.at uses the well known eCSIRT II Taxonomy (also known as "ENISA Taxonomy"). In short, the taxonomy is structured in three fields:
  • classification.taxonomy - highest level: the incident class.
  • classification.type - sub categorization.
  • classification.identifier - this is an internal CERT.at identifier which further specifies the event.
All fields named source.* denote the origin of the problem (example: source.ip is the IP address of an infected PC). Fields named destination.* refer usually to a command & control (C & C) server or to a sinkhole server.

You can find a complete list of all defined fields in the Data Harmonisation Ontology.

Time zones are always UTC.

CSV Format, Version 1.2

The following lists all fields (in their respective order) as of version 1.2:

Field name Description
time.source When did the event happen? (incl. time zone)?
source.ip The affected IP address.
protocol.transport The Transport Protocol (TCP/UDP).
source.port Source Port.
protocol.application The service (e.g. ssh, vnc, ftp, etc.)
source.fqdn The hostname of the affected machine.
source.local_hostname Possible internal hostnames within a LAN (e.g. Bill_Gates_PC).
source.local_ip Internal IP address in a LAN (e.g. 192.168.0.27)
source.url An involved URL pointing to the victim (e.g. the URL of a phishing site pointing to a hacked server)
source.asn The Autonomous System Number (ASN) of the network which hosts the IP address
source.geolocation.cc Country code ( ISO3166-1) of the IP address (according to some geolocation database).
source.geolocation.city City
classification.taxonomy Taxonomy. See ENISA eCSIRT II Taxonomy.
classification.type Type. See eCSIRT II Taxonomy.
classification.identifier CERT.at internal identifier.
destination.ip The destination IP address (e.g. C&C Server)
destination.port Destination port number
destination.fqdn Destination hostname if known
destination.url Destination URL if known
feed This is a unique identifier denoting the source of our data. Most of the time it will be a URL to the feed (for verification at the recipient), sometimes when the feed asks us to anonymize, we will assign a feed code.
event_description.text Free form description of the event
event_description.url A URL which points to further descriptions for the event.
malware.name If the event refers to malware, this is the malware family name (as known to CERT.at).
extra Any extra fields (in JSON Format), which we received from the feed.
comment Free form comment
additional_field_freetext Here add any other fields which the feed might have specified in free form text.
feed.documentation A URL pointing to the data feed (if available).
version: 1.2 The CERT.at format version string
Email: reports@cert.at
Phone: +43 1 5056416 78
more ...
Heartbleed: (Almost) three years later
2017/01/27 | Shodan recently ...
DROWN update
2016/04/11 | As I wrote ...
more ...
Last Change: 2017/10/31 - 14:23:43
Haftungsausschluss