Skip to content

Exercise 1.2: Querying IP Data

Next, query data for your own IP, and later query "87.251.74.48".

curl 'https://isc.sans.edu/api/ip/87.251.74.48?json' | jq .

We use the JSON output and pipe it to "jq" to obtain a pretty printed output.

Next, we would like to retrieve more detailed records for this IP address. We save the result to a file so we do not need to query the website each time for subsequent queries

curl 'https://isc.sans.edu/api/ipdetails/87.251.74.48?json' > ex12.json

Review the lengthy list of records:

jq . < ex12.json | less

Let's try to find the target ports hit by this IP address:

jq '.[].targetport' < ex12.json | sort | uniq -c | sort -n

The result should be close to:

   6 2222
4721 3128
6716 22

We can use the ISC web site to review these ports. Port 3478 for example:

curl 'https://isc.sans.edu/api/port/3128?json' | jq .

The result will be:

{
  "number": 3128,
  "data": {
    "date": "2020-06-23",
    "records": 13466,
    "targets": 2710,
    "sources": 459,
    "tcp": 93,
    "udp": 0,
    "datein": "2020-06-23",
    "portin": 3128
  },
  "services": {
    "udp": {
      "service": 0,
      "name": 0
    },
    "tcp": {
      "service": "squid-http",
      "name": "Proxy Server"
    }
  }
}

Review the data using the web site:

https://isc.sans.edu/port.html?port=3128

Challenge

Using the list of API functions at https://isc.sans.edu/api, retrieve a list of all IP addresses scanning the internet for research purposes over the last 7 days.

Once you obtained the list, count the number of IPs, and count how many different research groups are listed.

Hint #1

The API function you are looking for is

/api/threatcategory/research

Hint #2

Start by saving the output to a file

curl "https://isc.sans.edu/api/threatcategory/research?json" > research.json

Hint #3

Use "jq" to extract the IPs, and count them.

jq '.[].ipv4' < research.json | sort -u | wc -l

Hint #4

You may use essentially the same command as in Hint #3 to count the different researchers. Just replace "ipv4" with "type".

Solution

The list contains 3,417 IP addresses from 11 different groups. The commands to obtain the solution are:

jq '.[].ipv4' < research.json | sort -u | wc -l
jq '.[].type' < research.json | sort -u | wc -l