Skip to content

IOC Sources

Vadim edited this page Mar 29, 2019 · 18 revisions

IOC Sources

This page contains list of the sources which can be used to build RPZs. The list is not comprehensive (and can not be comprehensive) if you find a new good source of IOC, please share. The list is organized by date when a source was added. Some sources requires a subscription, so please check descriptions before copy/paste.

Infoblox TIDE


IPs with expiration

Sample ActiveTrust TIDE IP source with IOCs expiration time.

{source,{"at_ip_w_exp","https://**APIKEY**,expiration&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.


Sample ActiveTrust TIDE Host source without IOCs expiration time. It is recommended to use expiration time.


RPZ/DNS Firewall Feeds

Subscription Subscription

You can use an universal shell: source type to fetch RPZ feeds. In the example below you need to provide TSIG key and a server name or IP. base.rpz.infoblox.local is used as a sample feed name. You may use full feed name or just part to extract a domain/fqdn from a rule (awk command).

{source,{"base.rpz","shell:/usr/bin/dig -y **KEYNAME**:**TSIGKEY** @**SERVER** **base.rpz.infoblox.local** axfr | /bin/grep -e CNAME | /bin/grep -v '*.' | /usr/bin/awk -F '.base.rpz' '{print $1}'","",none}}.



All DGA (about 1m indicators)

{source,{"dga","","[:AXFR:]","^[^\s\t]*[\s\t]*([A-Za-z0-9][A-Za-z0-9\-\._]+)[\s\t]*.*:00.*([0-9: -]+)$"}}.

DGA Blackhole


DGA Blackhole with Expiration

This is a sample zone with IOC expiration. Usually expiration date is not required for DGA, because the zone can be timely updated.

{source,{"blackhole_exp","","[:AXFR:]","^([A-Za-z0-9][A-Za-z0-9\-\._]+)\t.*:00\t([0-9: -]+)$"}}.

DGA Cryptolocker


DGA Conficker


Hajime Botnet


Other DGA

Other DGA lists you can find on the NetLab web-site.

TorExit nodes

List of the Tor Exit nodes is taken from Tor Network Status server.


DNS-BH – Malware Domain Blocklist by RiskAnalytics

Description: The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware.

{source,{"dns-bh","","[:AXFR:]","^zone \"([A-Za-z0-9\-\._]+)\".*$"}}.

MaxMind Geo database

Subscription Subscription

Using MaxMind's DB you can built RPZs which will prevent an access to specific countries or cities. Minimal local file processing is required:

  • unzipping the file;
  • filtering counties/cities to which an access should be restricted.

North Korea block list


Notracking [2018-07-18]

Description: No more ads, tracking and other virtual garbage. This repository provides a host and domain name based blocklist. Most entries are gathered from multiple, actively maintained sources and automatically updated, cleaned, optimized and moderated on a daily basis. The blocklists support both ipv4 and ipv6.

{source,{"notracking_hosts","","[:AXFR:]","^0\.0\.0\.0 ([A-Za-z0-9\._\-]+[A-Za-z])$"}}.


URL: Description: PhishTank is a free community site where anyone can submit, verify, track and share phishing data. The source contains only phishing domains (URLs are not included) and IPs.

{source,{"phishtank","shell:/usr/bin/curl -sL**APIKEY**/online-valid.csv | /usr/bin/gawk 'matc
h($0,/^[0-9]+,[^\\/]*\\/\\/([^\\/]+)\\/?,[^,]+,[^,]+,yes,/,a) {print a[1]}' | sort | uniq","[:AXFR:]",none}}.
You can’t perform that action at this time.