Sinkhole event data is generated by our "listen-only" machines, which simply listen and store all data payloads that are sent to them. These payloads will many times refer to what other scanners are probing.
{
"target":{
"port":"int",
"ip":"string",
"protocol":"string"
},
"data":{
"payload":"string"
},
"origin":{
"client_id":"string",
"ip":"string",
"type":"string",
"ts":"int"
}
}-
origin: Information about the origin of the payload, i.e, source remote machine that sent the payload
- ip: IP address of the source of the payload
- type: Static field, always "sinkhole", meant to distinguish from other events
- client_id: Static field, always "sinkhole", meant to distinguish from other events
- ts: Timestamp of when the payload was sent
-
target: Information about the target of the payload, i.e, our machine that received the payload
- ip: IP address of the destination of the payload
- port: Port of the destination of the payload
- protocol: Protocol of the destination of the payload (currently TCP only)
-
payload: Raw data that was sent and captured. No additional processing.
{
"target":{
"port":22,
"ip":"188.166.92.187",
"protocol":"tcp"
},
"data":{
"payload":"SSH-2.0-libssh2_1.7.0\\r\\n"
},
"origin":{
"client_id":"sinkhole",
"ip":"24.249.200.182",
"type":"sinkhole",
"ts":1538667592640
}
}