Botnet Mapping & Attack Pattern recognition- SpiderDox
Hey there - I’m a backend engineer for the NetSec sector, and this is my pet project I’ve been on&off with for a couple years. I have a dozen or so custom sensors deployed globally, collecting data from “spiders”, scanners, botnets, script kiddies, and AI actors.
It all started because I was looking at GreyNoise.. and I realized I was detecting things were *obviously* malicious on my (at the time) singular sensor, that GN wasn’t reporting!
I realized I could stream live events from a distributed network, and do real-time interpretation myself.
To this day, I still capture novel IPs weeks before GreyNoise associates them with anything.
While the sensors are basic (they only collect HTTP and HTTPS), through time I’ve played with a bunch of different ways to extract useful context from them.
Most recently I’ve added the “groups” view, which aggregates and analyzes all the events at-scale, placing IPs into groups of semantically similar events.. allowing the view of groups, inter-connected patterns, and the occasional association with CVEs.
The project isn’t perfect, but someone mentioned I should share it here. The point is to make this data publicly available, so I guess it makes sense.
You can check out the main portal at
https://spiderdox.com
And if you want the API docs, its at
https://api.spiderdox.com/docs
(Auth is broken, so sorry about that, but you shouldnt need it)
The dataset is limited in various ways in what you can pull from it historically, but you’ll always be able to pull todays data - either the raw events, the unique IPs, or the groups.
Anyways, enjoy! Let me know if you find something interesting :)