Threat Monitoring using the DShield API from SANS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

TMon - Internet Threat Monitor

TMon is a small tool which monitors the current online threat levels. It has a green, yellow, red level indicator, and information about top attacked ports and countries. It also provides information about the unique attacking sources (IPs)

The script gathers its information from the DShield API provided by SANS.


These are the modules used by TMon

  • argparse
  • datetime
  • ConfigParser
  • time
  • requests
  • os
  • fcntl
  • termios
  • struct
  • sys
  • termcolor
  • json
  • pygeoip
  • IPy


  • Add more port services
  • Add functionality for update snapshots
  • Add single snapshot functionality (instead of continuous monitoring)
  • Add attack difference display to see if anything has change since last update

Set up

Before you can use start using TMon you need to do the following

  • Download and extract GeoIP.dat from maxmind (direct download)
  • Rename config-dist.cfg to config.cfg
  • Change the value of filepath under the geolocation section to point to your GeoIP.dat file


-h, --help         show this help message and exit
--interval SEC     Update interval. Use this to overrive the value in the
--flush-log        Flush log on start
--debug            Enable debug mode
--max-ports #      Max number of ports to display
--max-ips #        Max number of sources to display
--max-countries #  Max number of countries to display
--status-only      Only display current threat status


usage: [-h] [--interval SEC] [--flush-log] [--debug] [--max-ports #]
               [--max-ips #] [--max-countries #] [--status-only]


Image Image

Change log


[+] Fixed a bug with ljust on int


[+] Fixed bugs
[+] Added new command line options


[+] Initial release