UDP Scans

The data format is gzip-compressed CSV with one record per line. Each file starts with a list of fields, so any use of this data should either strip the field headers, or pass the appropriate option to the parser. The current fields are timestamp-ts, saddr, sport, daddr, dport, ipid, ttl, and data. The timestamp-ts field is Unix time at UTC. The saddr and sport are the IP address that was scanned and the source port that it replied on respectively. The daddr and dport fields are the IP address and source port of the Project Sonar scanner. The ipid and ttl fields refer to the IP ID and Time to Live values in the response packet. Finally, the data field contains the hex-encoded raw response from the probe. The example below displays the header and first 9 records from the 2014-10-13 Portmap probe on UDP port 111: $ curl -s https://scans.io/data/rapid7/sonar.udp/20141013-portmap-111.csv.gz | \ zcat | head -n 10 timestamp-ts, saddr, sport, daddr, dport, ipid, ttl, data 1413359665,1.0.172.46,111,71.6.216.54,42864,0,45,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000 1413356593,1.0.238.59,111,71.6.216.51,54281,2,49,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000 1413360602,1.0.240.206,111,71.6.216.38,60359,0,50,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000 1413353967,1.0.254.233,111,71.6.216.37,35771,0,50,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000800000000001000186b8000000010000000600008000000000010005f75a00000002000000060000800100000001000186ab0000000100000011000002d600000001000186ab0000000200000011000002d600000001000186ab0000000100000006000002d900000001000186ab0000000200000006000002d900000001000186a300000002000000110000080100000001000186a300000003000000110000080100000001000186b500000001000000110000800300000001000186b500000003000000110000800300000001000186b500000004000000110000800300000001000186a500000001000000110000800400000001000186a500000001000000060000800200000001000186a500000002000000110000800400000001000186a500000002000000060000800200000001000186a500000003000000110000800400000001000186a500000003000000060000800200000000 1413359172,1.0.4.106,111,71.6.216.58,43145,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186a500000003000000060000964100000001000186a500000001000000060000964200000001000186a300000003000000060000080100000001000186b800000001000000110000d4c300000001000186b8000000010000000600009e2200000001000186b500000004000000060000964400000001000186b500000001000000110000030b000000010001878300000003000000060000080100000001000186b500000001000000060000030d00000000 1413356799,1.0.4.107,111,71.6.216.59,60701,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186a500000003000000060000964100000001000186a500000001000000060000964200000001000186a300000003000000060000080100000001000186b800000001000000110000814400000001000186b800000001000000060000c7e300000001000186b500000004000000060000964400000001000186b50000000100000011000002b7000000010001878300000003000000060000080100000001000186b50000000100000006000002b900000000 1413360637,1.0.5.35,111,71.6.216.47,46775,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000a37e00000001000186b800000001000000060000a81200000000 1413352740,1.0.5.36,111,71.6.216.48,33581,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000e3fa00000001000186b800000001000000060000dfd300000000 1413358705,1.0.5.47,111,71.6.216.59,41913,13798,111,65720a37000000010000000000000000000000000000000000000001000186a000000002000000110000006f00000001000186a000000003000000110000006f00000001000186a000000004000000110000006f00000001000186a000000002000000060000006f00000001000186a000000003000000060000006f00000001000186a000000004000000060000006f00000001000186a300000002000000060000080100000001000186a300000003000000060000080100000001000186a300000002000000110000080100000001000186a300000003000000110000080100000001000186a300000004000000060000080100000001000186a500000001000000060000080100000001000186a500000002000000060000080100000001000186a500000003000000060000080100000001000186a500000001000000110000080100000001000186a500000002000000110000080100000001000186a500000003000000110000080100000001000186b500000001000000060000080100000001000186b500000002000000060000080100000001000186b500000003000000060000080100000001000186b500000004000000060000080100000001000186b500000001000000110000080100000001000186b500000002000000110000080100000001000186b500000003000000110000080100000001000186b500000004000000110000080100000001000186b800000001000000060000080100000001000186b800000001000000110000080100000000 The table below lists all current and past UDP probes. We use DAP to handle the decoding and processing probe responses. Every probe below has a corresponding DAP decoder filter. Name Probe Port Description IPMI ipmi_623.pkt 623 IPMI Channel Authorization Request MDNS mdns_5353.pkt 5353 Multicast DNS (Bonjour) Services Query NATPMP natpmp_5351.pkt 5351 NATPMP Ping NETBIOS netbios_137.pkt 137 NetBIOS Status Request NTP Monlist ntp_123_monlist.pkt 123 NTP Monlist Request (Mode 7) NTP Readvar ntp_123.pkt 123 NTP Readvar Request (Mode 6) PORTMAP portmap_111.pkt 111 SunRPC Portmap Dump Request SIP sip_options.tpl 5060 SIP OPTIONS Request UPNP upnp_1900.pkt 1900 UPNP SSDP M-SEARCH Request WDBRPC wdbrpc_17185.pkt 17185 VxWorks Debugger Connect Request BACNET bacnet_rpm_47808.pkt 47808 BACNET RPM Request DNS dns_53.pkt 53 DNS bind.version Request MSSQL mssql_1434.pkt 1434 MSSQL Ping ; research@rapid7.com