Incoming feed - Shadow Server#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

Shadow Server Feed

Content type

Shadow Server JSON

Ingested data

JSON

Processed data

Threat intelligence reports.

Available report types

  • Blocklist: Block Listed IP Addresses

  • Compromise: Compromised IoT Devices

  • Compromise: Compromised Websites

  • Honeypot: Brute-force Attacks

  • Honeypot: DDoS Amplification

  • Honeypot: DDoS Target Commands

  • Honeypot: ICS Protocol Scans

  • Malware: Malware URLs

  • Population (IPv6): BGP Devices

  • Population (IPv6): HTTP Proxies

  • Population (IPv6): MSMQ Services

  • Population: BGP Devices

  • Population: HTTP Proxies

  • Population: MSMQ Services

  • Scan AFP: Apple Filing Protocol Scan

  • Scan EPMD: Erlang Port Mapper Daemon Scan

  • Scan HTTP Proxy: HTTP Proxy Service Scan

  • Scan HTTP: HTTP Service Scan

  • Scan ICS: Industrial Control Systems Scan

  • Scan IPP: Internet Printing Protocol Scan

  • Scan IPv6 DNS: IPv6 Domain Name System Scan

  • Scan IPv6 FTP: IPv6 File Transfer Protocol Scan

  • Scan IPv6 HTTP: IPv6 HTTP Service Scan

  • Scan IPv6 MQTT: IPv6 Message Queuing Telemetry Transport Scan

  • Scan IPv6 NTP: IPv6 Network Time Protocol Scan

  • Scan IPv6 SMTP: IPv6 Simple Mail Transfer Protocol Scan

  • Scan IPv6 SSH: IPv6 Secure Shell Scan

  • Scan IPv6 SSL: IPv6 Secure Sockets Layer Scan

  • Scan Kubernetes: Kubernetes Cluster Scan

  • Scan LDAP TCP: LDAP over TCP Scan

  • Scan Loop DoS: Loop Denial of Service Scan

  • Scan MySQL: MySQL Database Scan

  • Scan Rsync: Rsync Service Scan

  • Scan SLP: Service Location Protocol Scan

  • Scan SMTP: Simple Mail Transfer Protocol Scan

  • Scan SSH: Secure Shell Scan

  • Scan SSL: Secure Sockets Layer Scan

  • Scan STUN: Session Traversal Utilities for NAT Scan

  • Scan Ubiquiti: Ubiquiti Device Scan

  • Scan WS Discovery: Web Services Discovery Scan

  • Scan: ActiveMQ Services

  • Scan: Android Debug Bridge

  • Scan: Middlebox DDoS

  • Scan: Vulnerable HTTP Services

  • Sinkhole: DNS Requests

  • Sinkhole: HTTP Connections

  • Sinkhole: Non-HTTP Events

  • Special

Description

The feed provides threat intelligence reports.

Requirements#

  • An API key with access to the Shadow Server feed.

Configure the incoming feed#

  1. Create and edit an incoming feed.

  2. From the Transport type drop-down menu, select Shadow Server Feed.

  3. From the Content type drop-down menu, select Shadow Server JSON.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://transform.shadowserver.org.

  5. In the API key field, enter your API key.

  6. In the Secret key field, enter your Secret key for Shadow Server.

  7. From the Include Report Type Feeds dropdown, select the types of report you’d like to ingest.

  8. To use SSL verification leave the checkbox selected.

  9. If you do, in the Path to SSL certificate field, enter the path to your PEM file.
    Otherwise, leave the field empty.

  10. Click the Start ingesting from field, and use the drop-down calendar to select a date and time from which to start fetching content from.

  11. To store your changes, click Save; to discard them, click Cancel.