Over the years, Shadowserver’s report list has grown considerably from when we originally started. Our daily reports now number over 80 distinct types and they include data from a large amount of sources, including sinkholes, sandboxes, scans, honeypots and several others. When some of these reports were originally set up, the requirements were different to those needed today.
As a result, various stop gap measures were employed – some of the report types formats had to be modified over time and extended, and sometimes new data types adapted to fit, and in some cases some data sets were more forcibly modified so that the report still worked. This has sometimes led to confusion to our report recipients. What is the exact difference between a drone report and a sinkhole report for example? Additionally, some report types have not been used for a long time.
We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports.
The following reports will be reorganized (old reports will be marked as LEGACY on 2021-06-01, and after 2021-06-01 only the new reports will be available in their place):
- Amplification DDoS Victim Report –> Honeypot Amplification DDoS Events [event-honeypot-ddos-amp]
- Brute Force Attack Report –> Honeypot Brute Force Events [event-honeypot-brute-force]
- CAIDA IP Spoofer report –> IP Spoofer Events Report [event-ip-spoofer]
- Darknet Report –> Darknet Events [event-honeypot-darknet]
- Drone/Botnet-Drone Report –> Sinkhole Events Report [event-sinkhole], Darknet Events [event-honeypot-darknet], Sinkhole HTTP Events Report [event-sinkhole-http]
- HTTP Scanners Report –> Honeypot HTTP Scanner Events [event-honeypot-http-scan]
- ICS Scanners Report –> Honeypot ICS Scanner Events [event-honeypot-ics-scan]
- Microsoft Sinkhole Report –> Sinkhole HTTP Events Report [event-sinkhole-http]
- Sinkhole DNS Report –> Sinkhole DNS Events Report [event-sinkhole-dns]
- Sinkhole HTTP Drone Report –> Sinkhole HTTP Events Report [event-sinkhole-http]
- Sinkhole HTTP Referrer Report –> Sinkhole HTTP Referer Events Report [event-sinkhole-http-referer]
- Sinkhole6 HTTP Drone Report –> Sinkhole HTTP Events Report [event-sinkhole-http]
Additionally, the following reports are now no longer in use (all now marked LEGACY):
- Click-Fraud Report
- Compromised Host Report
- DDoS Report
- Botnet Drone Hadoop Report
- Honeypot URL Report
The new reports above will have both IPv4 and IPv6 versions with exactly the same fields distinguished by an event4 or event6 prefix in their file names respectively.
Changes will come into effect on 2021-06-01. On that day, the old reports will cease and only the new equivalents will be sent out. Until that time, starting 2021-04-05 both the old reports and new reports will function in parallel. Existing subscribers will continue to receive the old reports until 2021-06-01, as well as a copy of the new reports. This will hopefully ensure a smoother migration process. New subscribers will start receiving the new reports only on sign up immediately as of 2021-04-05.
If you have any questions or concerns please contact us.