Shodan Help Center


Setup Internetdb package

Configuring and Building from Source

The Shodan package for Zeek is open-source and available here.

Once you download the .tar.gz file, extract it and run the commands:

./configure && make && sudo make install

Install using Zkg

The Zeek Package Manager makes it easy for Zeek users to install and manage third party scripts as well as plugins for Zeek and ZeekControl. Our InternetDB package has been added into the zkg package. This is another way to set up.

Note that this method does require independent installation of zkg's dependencies, which is usually easiest to do via pip3:

pip3 install zkg

After installing via pip3, zkg must be configured. Make sure you already install Zeek and set PATH in the previous guideline.

zkg autoconfig
zkg refresh

Finally, install shodan-zeek package which contains the main InternetDB function.

zkg install shodan-zeek

Download InternetDB SQLite (Optional)

The SQLite version of InternetDB requires an Enterprise license to Shodan and lets you do fast IP enrichment using an offline database. To get started, visit the Account page and grab your API key. Afterwards, look for the update-internetdb.sh script that's in the folder from the extracted archive and edit the API key line at the top of the script with your own API key:

API_KEY=”xxxx”

Now we only just need to run the file. Note that the SQLite file will take up around 50GB of disk storage and it is placed in /usr/share/InternetDB. The Zeek package expects the SQLite file in that location so make sure to not change that aspect:

$ ./update-internetdb.sh 
Connecting to the Shodan API...
Downloading latest file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 4863M  100 4863M    0     0  4750k      0  0:17:28  0:17:28 --:--:-- 3448k
Verifying file integrity...
Uncompressing file...
Successfully updated InternetDB. Reload your application to take advantage of it.

Checking Zeek InternetDB plugin

At this point, you should be able to use the zeek command to confirm that the functions are available:

$ zeek -NN | grep InternetDB
InternetDB::lookup_internetdb - Get IP address information from Shodan InternetDB (dynamic, version 1.1.0)
    [Function] InternetDB::lookup_internetdb_api
    [Function] InternetDB::lookup_internetdb_sqlite
Next: Getting Started