Skip to content

IOC Sources

Vadim edited this page Mar 29, 2019 · 18 revisions

IOC Sources

This page contains list of the sources which can be used to build RPZs. The list is not comprehensive (and can not be comprehensive) if you find a new good source of IOC, please share. The list is organized by date when a source was added. Some sources requires a subscription, so please check descriptions before copy/paste.

Infoblox TIDE

Subscription
URL: https://www.infoblox.com/products/activetrust/

IPs with expiration

Sample ActiveTrust TIDE IP source with IOCs expiration time.

{source,{"at_ip_w_exp","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/ip?profile=IID&field=ip,expiration&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.

Domains

Sample ActiveTrust TIDE Host source without IOCs expiration time. It is recommended to use expiration time.

{source,{"at_hosts","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/host?profile=IID&field=host&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

RPZ/DNS Firewall Feeds

Subscription Subscription

You can use an universal shell: source type to fetch RPZ feeds. In the example below you need to provide TSIG key and a server name or IP. base.rpz.infoblox.local is used as a sample feed name. You may use full feed name or just part to extract a domain/fqdn from a rule (awk command).

{source,{"base.rpz","shell:/usr/bin/dig -y **KEYNAME**:**TSIGKEY** @**SERVER** **base.rpz.infoblox.local** axfr | /bin/grep -e CNAME | /bin/grep -v '*.' | /usr/bin/awk -F '.base.rpz' '{print $1}'","",none}}.

NetLab

Subscription
URL: http://data.netlab.360.com

All DGA (about 1m indicators)

{source,{"dga","http://data.netlab.360.com/feeds/dga/dga.txt","[:AXFR:]","^[^\s\t]*[\s\t]*([A-Za-z0-9][A-Za-z0-9\-\._]+)[\s\t]*.*:00.*([0-9: -]+)$"}}.

DGA Blackhole

{source,{"blackhole","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

DGA Blackhole with Expiration

This is a sample zone with IOC expiration. Usually expiration date is not required for DGA, because the zone can be timely updated.

{source,{"blackhole_exp","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^([A-Za-z0-9][A-Za-z0-9\-\._]+)\t.*:00\t([0-9: -]+)$"}}.

DGA Cryptolocker

{source,{"cryptolocker","http://data.netlab.360.com/feeds/dga/cryptolocker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

DGA Conficker

{source,{"conficker","http://data.netlab.360.com/feeds/dga/conficker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

Hajime Botnet

{source,{"bot.list","http://data.netlab.360.com/feeds/hajime-scanner/bot.list","[:AXFR:]","ip=([0-9\.]+)$"}}.

Other DGA

Other DGA lists you can find on the NetLab web-site.

TorExit nodes

Subscription
URL: http://blutmagie.de
List of the Tor Exit nodes is taken from Tor Network Status server.

{source,{"tor-exit","https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv","[:AXFR:]",none}}.

DNS-BH – Malware Domain Blocklist by RiskAnalytics

Subscription
URL: http://www.malwaredomains.com
Description: The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware.

{source,{"dns-bh","http://mirror1.malwaredomains.com/files/spywaredomains.zones","[:AXFR:]","^zone \"([A-Za-z0-9\-\._]+)\".*$"}}.

MaxMind Geo database

Subscription Subscription

Using MaxMind's DB you can built RPZs which will prevent an access to specific countries or cities. Minimal local file processing is required:

  • unzipping the file;
  • filtering counties/cities to which an access should be restricted.

http://dev.maxmind.com/geoip/geoip2/geolite2/#MaxMind_APIs
http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip

North Korea block list

{source,{"geo_north_korea","file:cfg/GeoLite2-Country-Blocks-IPv4.csv","[:AXFR:]","^([^,]+),.*1873107.*"}}.

Notracking [2018-07-18]

Subscription
URL: https://github.com/notracking/hosts-blocklists
Description: No more ads, tracking and other virtual garbage. This repository provides a host and domain name based blocklist. Most entries are gathered from multiple, actively maintained sources and automatically updated, cleaned, optimized and moderated on a daily basis. The blocklists support both ipv4 and ipv6.

{source,{"notracking_hosts","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt","[:AXFR:]","^0\.0\.0\.0 ([A-Za-z0-9\._\-]+[A-Za-z])$"}}.
{source,{"notracking_domains","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt","[:AXFR:]","^address=\/([A-Za-z0-9\._\-]+[A-Za-z])\/0\.0\.0\.0$"}}.

Phishtank

Subscription
URL: https://www.phishtank.com Description: PhishTank is a free community site where anyone can submit, verify, track and share phishing data. The source contains only phishing domains (URLs are not included) and IPs.

{source,{"phishtank","shell:/usr/bin/curl -sL http://data.phishtank.com/data/**APIKEY**/online-valid.csv | /usr/bin/gawk 'matc
h($0,/^[0-9]+,[^\\/]*\\/\\/([^\\/]+)\\/?,[^,]+,[^,]+,yes,/,a) {print a[1]}' | sort | uniq","[:AXFR:]",none}}.
You can’t perform that action at this time.