sinkhole_traffic
Sinkhole Traffic
The sinkhole_traffic dataset contains traffic from IP addresses checking into our various sinkholes. Wapack Labs has several hundred sinkholed domains from a variety of malware and threats including Advanced Persistent Threat (APT) and crimeware. For web-based traffic we provide all of the common HTTP headers.
Sinkholes
Threat Domain
Description
Striker
Targeted APT sinkholes
Often times demonstrating pure indicators of compromise, Striker activities focus on the use of honeypots and sinkhole techniques placed in specific locations. The intent is to not collect everything, rather than specific information –and then leave.
Field
Description
area_code
area code geolocated from indicator
attribution
provides malware attribution or actor attribution for sinkhole
city
city name geolocated from indicator
count_rec
observation count for given IP (indicator)
country
two character country code geolocated from indicator
cs_asn
cs_bytes
cs_cookie
cs_host
cs_referrer
cs_ua
cs_username
cs_version
domain_cat
general site categorization of indicator
etl_date
date data was exported, transformed or loaded(ETL)
indicator
IP address checking into sinkhole: client-server IP (cs-ip as defined by W3C loggin)
indicator_context
always sinkhole_ip
indicator_type
always ipv4addr
location
latitude longitude coordinates
postal_code
postal code geolocated from indicator
raw_data_file
raw logfile containing sinkhole traffic
region
region name geolocated from indicator
sc_bytes
sc_status
sc_substatus
sc_win32_status
tag
defines whether sikhole is APT or crimeware/botnet
url_cat
specific site categorization of indicator
Prefixes
The following prefixes are defined:
Prefix
Description
c
Client
s
Server
r
Remote
cs
Client to Server
sc
Server to Client
sr
Server to Remote Server, this prefix is used by proxies
rs
Remote Server to Server, this prefix is used by proxies
x
Application specific identifier
Last updated
Was this helpful?