CERT.at Data feeds
CERT.at sends out daily mails containing data breach notifications, reports on vulnerable systems or other mis-use on the Internet to network owners. The following page describes these data feeds.
Current Version: 1.2
Our data feeds are structured in a uniform way and try to answer the following questions:
- When did something happen (time.source field)?
- What happened (classification.*, feed)?
- Where did it happen (source.ip, source.asn, source.url, protocol.*, destination.* fields)?
- How did it happen and where can I read more about it? (event_description.*, feed.documentation fields )
We will call one entry in the data feed (e.g. one log line) an event. In order to categorize the event, CERT.at uses the well known Reference Security Incident Taxonomy (also known as "ENISA Taxonomy"). In short, the taxonomy is structured in three fields:
- classification.taxonomy - highest level: the incident class.
- classification.type - sub categorization.
- classification.identifier - this is an internal CERT.at identifier which further specifies the event.
All fields named
source.* denote the origin of the problem (example:
source.ip is the IP address of an infected PC). Fields named
destination.* refer usually to a command & control (C & C) server or to a sinkhole server.
You can find a complete list of all defined fields in the Data Harmonisation, part of the IntelMQ documentation.
Time zones are always UTC.
CSV Format, Version 1.2
The following lists all fields (in their respective order) as of version 1.2:
|time.source||When did the event happen? (incl. time zone)?|
|source.ip||The affected IP address.|
|protocol.transport||The Transport Protocol (TCP/UDP).|
|protocol.application||The service (e.g. ssh, vnc, ftp, etc.)|
|source.fqdn||The hostname of the affected machine.|
|source.local_hostname||Possible internal hostnames within a LAN (e.g. Bill_Gates_PC).|
|source.local_ip||Internal IP address in a LAN (e.g. 192.168.0.27)|
|source.url||An involved URL pointing to the victim (e.g. the URL of a phishing site pointing to a hacked server)|
|source.asn||The Autonomous System Number (ASN) of the network which hosts the IP address|
|source.geolocation.cc||Country code ( ISO3166-1) of the IP address (according to some geolocation database).|
|classification.taxonomy||Taxonomy. See Taxonomy.|
|classification.type||Type. See Taxonomy.|
|classification.identifier||CERT.at internal identifier.|
|destination.ip||The destination IP address (e.g. C&C Server)|
|destination.port||Destination port number|
|destination.fqdn||Destination hostname if known|
|destination.url||Destination URL if known|
|feed||This is a unique identifier denoting the source of our data. Most of the time it will be a URL to the feed (for verification at the recipient), sometimes when the feed asks us to anonymize, we will assign a feed code.|
|event_description.text||Free form description of the event|
|event_description.url||A URL which points to further descriptions for the event.|
|malware.name||If the event refers to malware, this is the malware family name (as known to CERT.at).|
|extra||Any extra fields (in JSON Format), which we received from the feed.|
|comment||Free form comment|
|additional_field_freetext||Here add any other fields which the feed might have specified in free form text.|
|feed.documentation||A URL pointing to the data feed (if available).|
|version: 1.2||The CERT.at format version string|