Jon Hart edited this page Aug 6, 2018 · 14 revisions

Project Sonar produces multiple UDP datasets every month. This data is gathered by sending protocol-specific UDP probes across the entire IPv4 address space. The types of probes sent each week continues to expand as the project matures.

The data format is gzip-compressed CSV with one record per line. Each file starts with a list of fields, so any use of this data should either strip the field headers, or pass the appropriate option to the parser. The current fields are timestamp-ts, saddr, sport, daddr, dport, ipid, ttl, and data. The timestamp-ts field is Unix time at UTC. The saddr and sport are the IP address that was scanned and the source port that it replied on respectively. The daddr and dport fields are the IP address and source port of the Project Sonar scanner. The ipid and ttl fields refer to the IP ID and Time to Live values in the response packet. Finally, the data field contains the hex-encoded raw response from the probe.

The example below displays the header and first 9 records from the 2014-10-13 Portmap probe on UDP port 111:

$ curl -s https://scans.io/data/rapid7/sonar.udp/20141013-portmap-111.csv.gz | \
  zcat | head -n 10

timestamp-ts, saddr, sport, daddr, dport, ipid, ttl, data
1413359665,1.0.172.46,111,71.6.216.54,42864,0,45,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000
1413356593,1.0.238.59,111,71.6.216.51,54281,2,49,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000
1413360602,1.0.240.206,111,71.6.216.38,60359,0,50,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000000
1413353967,1.0.254.233,111,71.6.216.37,35771,0,50,65720a37000000010000000000000000000000000000000000000001000186a000000002000000060000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000800000000001000186b8000000010000000600008000000000010005f75a00000002000000060000800100000001000186ab0000000100000011000002d600000001000186ab0000000200000011000002d600000001000186ab0000000100000006000002d900000001000186ab0000000200000006000002d900000001000186a300000002000000110000080100000001000186a300000003000000110000080100000001000186b500000001000000110000800300000001000186b500000003000000110000800300000001000186b500000004000000110000800300000001000186a500000001000000110000800400000001000186a500000001000000060000800200000001000186a500000002000000110000800400000001000186a500000002000000060000800200000001000186a500000003000000110000800400000001000186a500000003000000060000800200000000
1413359172,1.0.4.106,111,71.6.216.58,43145,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186a500000003000000060000964100000001000186a500000001000000060000964200000001000186a300000003000000060000080100000001000186b800000001000000110000d4c300000001000186b8000000010000000600009e2200000001000186b500000004000000060000964400000001000186b500000001000000110000030b000000010001878300000003000000060000080100000001000186b500000001000000060000030d00000000
1413356799,1.0.4.107,111,71.6.216.59,60701,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186a500000003000000060000964100000001000186a500000001000000060000964200000001000186a300000003000000060000080100000001000186b800000001000000110000814400000001000186b800000001000000060000c7e300000001000186b500000004000000060000964400000001000186b50000000100000011000002b7000000010001878300000003000000060000080100000001000186b50000000100000006000002b900000000
1413360637,1.0.5.35,111,71.6.216.47,46775,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000a37e00000001000186b800000001000000060000a81200000000
1413352740,1.0.5.36,111,71.6.216.48,33581,0,48,65720a37000000010000000000000000000000000000000000000001000186a000000004000000060000006f00000001000186a000000003000000060000006f00000001000186a000000002000000060000006f00000001000186a000000004000000110000006f00000001000186a000000003000000110000006f00000001000186a000000002000000110000006f00000001000186b800000001000000110000e3fa00000001000186b800000001000000060000dfd300000000
1413358705,1.0.5.47,111,71.6.216.59,41913,13798,111,65720a37000000010000000000000000000000000000000000000001000186a000000002000000110000006f00000001000186a000000003000000110000006f00000001000186a000000004000000110000006f00000001000186a000000002000000060000006f00000001000186a000000003000000060000006f00000001000186a000000004000000060000006f00000001000186a300000002000000060000080100000001000186a300000003000000060000080100000001000186a300000002000000110000080100000001000186a300000003000000110000080100000001000186a300000004000000060000080100000001000186a500000001000000060000080100000001000186a500000002000000060000080100000001000186a500000003000000060000080100000001000186a500000001000000110000080100000001000186a500000002000000110000080100000001000186a500000003000000110000080100000001000186b500000001000000060000080100000001000186b500000002000000060000080100000001000186b500000003000000060000080100000001000186b500000004000000060000080100000001000186b500000001000000110000080100000001000186b500000002000000110000080100000001000186b500000003000000110000080100000001000186b500000004000000110000080100000001000186b800000001000000060000080100000001000186b800000001000000110000080100000000

The table below lists all current and past UDP probes. We use DAP to handle the decoding and processing probe responses. Every probe below has a corresponding DAP decoder filter.

Name Probe Port Description
IPMI ipmi_623.pkt 623 IPMI Channel Authorization Request
MDNS mdns_5353.pkt 5353 Multicast DNS (Bonjour) Services Query
NATPMP natpmp_5351.pkt 5351 NATPMP Ping
NETBIOS netbios_137.pkt 137 NetBIOS Status Request
NTP Monlist ntp_123_monlist.pkt 123 NTP Monlist Request (Mode 7)
NTP Readvar ntp_123.pkt 123 NTP Readvar Request (Mode 6)
PORTMAP portmap_111.pkt 111 SunRPC Portmap Dump Request
SIP sip_options.tpl 5060 SIP OPTIONS Request
UPNP upnp_1900.pkt 1900 UPNP SSDP M-SEARCH Request
WDBRPC wdbrpc_17185.pkt 17185 VxWorks Debugger Connect Request
BACNET bacnet_rpm_47808.pkt 47808 BACNET RPM Request
DNS dns_53.pkt 53 DNS bind.version Request
MSSQL mssql_1434.pkt 1434 MSSQL Ping
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.