Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



Tool to fetch malicious domains and IP lists from sites that publish RSS feeds, delimited text documents, or raw HTML pages.


./web2intel.rb <option> <extras>

--q_mal 			- The Quttera malicious domains database
--q_sus 			- The Quttera suspicious domains database
--q_pot 			- The Quttera potentially suspicious database
--goz 				- Gameover Zeus (GoZeus) list from Bambenek Consulting
--mwdoms 			- DNS-BH – Malware Domain Blocklist
--malware_ta		- domains
--isc_low			- SANS Internet Storm Center LOW confidence block list
--isc_med			- SANS Internet Storm Center MEDIUM confidence block list
--isc_high			- SANS Internet Storm Center HIGH confidence block list
--sucuri_iframe		- Sucuri scanner identified iframe compromised web site list
--sucuri_redirect	- Sucuri scanner identified conditional redirections list (based on user agents or referers)
--sucuri_js			- Sucuri scanner identified encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call list
--webins 			- Comodo Web Inspector malicious, suspicious content, and malware site list
--cybersitter		- CYBERsitter Malicious Web Site Filter: Top 100 Phishing, Malicious and Suspicious Sites from the past 60 minutes
--twitter			- Twitter username (e.g. andrewsmhay). Do not prepend the '@' symbol
--phishtank			- OpenDNS PhishTank Domains
--cybersitter		- CYBERsitter Malicious Web Site Filter - Top 100
--malc0de			- Malc0de Blocklist
--cybercrime		- Cybercrime Tracker List
--dyndns			- Dynamic DNS Provider List
--nothink			- Malware DNS Network Traffic Blacklist from
--vxvault			- VX Vault Last 100 Links
--zeus_dom			- ZeuS Domain Blocklist from
--zeus_ip			- ZeuS IP Blocklist from
--feodo_dom			- Feodo Domain Blocklist from
--feodo_ip			- Feodo IP Blocklist from
--palevo_dom		- Palevo Domain Blocklist from
--palevo_ip			- Palevo IP Blocklist from
--spyeye_dom		- Spyeye Domain Blocklist from
--spyeye_ip			- Spyeye IP Blocklist from

--all 		- Generate a master list of all domains

--url		- Extract the fully quaified domain name (FQDN), protocol, port, and directory structure (if available)
--details	- Addtional inline details (if available)

(C) Andrew Hay, 2014

####Example 1 - Domains only

$ ./web2intel.rb --sucuri_iframe
#Title: Sucuri Research Labs Hidden iframes list
#2014-07-20 15:08:14 -0700

####Example 2 - Twitter $ ./web2intel.rb --twitter InternetBadness #Title: Twitter-based intel from #2014-07-25 09:08:18 -0700


For any questions, bugs, or concerns, please use the GitHub issue submission system and/or reach out to @andrewsmhay on Twitter.

(C) Andrew Hay, 2014

You can’t perform that action at this time.