Bulk report format
Bulk report python script for Linux auth log
IPThreat allows two csv formats for bulk reporting. For both formats, headers are required and must be in the exact order.
- Max payload is 2 megabytes.
- Duplicate submissions will be consolidated.
- If a value contains a comma, you must use double quote (") around the value.
- If a value contains a quote, you must escape the quote with a backslash.
- Backslashes must be escaped with a second backslash.
IPThreat format (IP,Counter,Flags,Notes,SystemAttacked,Timestamp)
IP (String): The offending ip address. Accepts ipv4 or ipv6 notation.
Counter (Integer): The number of attacks aggregated. Accepts values of 1-10. If left empty, 1 will be used.
Flags (Integer or String): Integers can be a bitwise OR. String can be comma separated. Here are the possible values:
Dns (1): Abuse/attack of dns (domain name server)
Fraud (2): General fraud, whether orders, misuse of payment info, etc
DDos (4): Distributed denial of service attack, whether through http requests, large ping attack, etc
BruteForce (8): Brute force login attack
Proxy (16): IP is a proxy like TOR or other proxy server
Spam (32): Email, comment or other type of spam
Vpn (64): IP is part of a VPN
Hacking (128): General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
BadBot (256): Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
Compromised (512): The ip has been taken over by malware or botnet
Phishing (1024): The ip is involved in phishing or spoofing
Iot (2048): The ip has targetted an iot (Internet of Things) device
PortScan (4096): Port scan
Notes (String): Max chars is 1000. Ok to leave blank. Can contain short log snippet or other useful information. Please remove timestamps and user names and any other user identifiable information.
SystemAttacked (String): Short acronym (or app name) for attacked system, i.e. RDP, SSH, SMTP, MYSQL, etc. 32 char max.
Timestamp (String): Timestamp of when the attack took place. Most date formats will be accepted, but for best chance of accuracy, use ISO-8601
IP,Counter,Flags,Notes,SystemAttacked,Timestamp 18.104.22.168,1,Hacking,RDP failed login,RDP,2022-06-10T01:02:03Z 22.214.171.124,2,DDOS,,PHP,2022-06-10T03:02:03Z 126.96.36.199,2,"BruteForce,Compromised",Machine compromised by malware,SSH,2022-06-10T05:02:03Z 188.8.131.52,1,4224,Port scan 22; login failed,SSH,2022-06-10T07:02:03Z 184.108.40.206,5,"Fraud,Phishing",Mass email impersonating cfo,SMTP,2022-06-10T09:03:04Z