sinkhole_traffic
Sinkhole Traffic
The sinkhole_traffic dataset contains traffic from IP addresses checking into our various sinkholes. Wapack Labs has several hundred sinkholed domains from a variety of malware and threats including Advanced Persistent Threat (APT) and crimeware. For web-based traffic we provide all of the common HTTP headers.
Sinkholes | Threat Domain | Description |
Striker | Targeted APT sinkholes | Often times demonstrating pure indicators of compromise, Striker activities focus on the use of honeypots and sinkhole techniques placed in specific locations. The intent is to not collect everything, rather than specific information –and then leave. |
Field | Description |
area_code | area code geolocated from indicator |
attribution | provides malware attribution or actor attribution for sinkhole |
city | city name geolocated from indicator |
count_rec | observation count for given IP (indicator) |
country | two character country code geolocated from indicator |
cs_asn | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_bytes | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_cookie | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_host | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_referrer | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_ua | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_username | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
cs_version | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
domain_cat | general site categorization of indicator |
etl_date | date data was exported, transformed or loaded(ETL) |
indicator | IP address checking into sinkhole: client-server IP (cs-ip as defined by W3C loggin) |
indicator_context | always sinkhole_ip |
indicator_type | always ipv4addr |
location | latitude longitude coordinates |
postal_code | postal code geolocated from indicator |
raw_data_file | raw logfile containing sinkhole traffic |
region | region name geolocated from indicator |
sc_bytes | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sc_status | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sc_substatus | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sc_win32_status | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
tag | defines whether sikhole is APT or crimeware/botnet |
url_cat | specific site categorization of indicator |
Prefixes
The following prefixes are defined:
Prefix | Description |
c | Client |
s | Server |
r | Remote |
cs | Client to Server |
sc | Server to Client |
sr | Server to Remote Server, this prefix is used by proxies |
rs | Remote Server to Server, this prefix is used by proxies |
x | Application specific identifier |
Last updated