Skip to content

Sinkhole Data

Sinkhole event data is generated by our "listen-only" machines, which simply listen and store all data payloads that are sent to them. These payloads will many times refer to what other scanners are probing.

Currently only available for Enterprise, via Data Stream

Schema

{
   "target":{
      "port":"int",
      "ip":"string",
      "protocol":"string"
   },
   "data":{
      "payload":"string"
   },
   "origin":{
      "client_id":"string",
      "ip":"string",
      "type":"string",
      "ts":"int"
   }
}

Contents of the fields:

  • origin: Information about the origin of the payload, i.e, source remote machine that sent the payload

    • ip: IP address of the source of the payload
    • type: Static field, always "sinkhole", meant to distinguish from other events
    • client_id: Static field, always "sinkhole", meant to distinguish from other events
    • ts: Timestamp of when the payload was sent
  • target: Information about the target of the payload, i.e, our machine that received the payload

    • ip: IP address of the destination of the payload
    • port: Port of the destination of the payload
    • protocol: Protocol of the destination of the payload (currently TCP only)
  • payload: Raw data that was sent and captured. No additional processing.

Event Example

{
   "target":{
      "port":22,
      "ip":"188.166.92.187",
      "protocol":"tcp"
   },
   "data":{
      "payload":"SSH-2.0-libssh2_1.7.0\\r\\n"
   },
   "origin":{
      "client_id":"sinkhole",
      "ip":"24.249.200.182",
      "type":"sinkhole",
      "ts":1538667592640
   }
}