Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib
.gitignore
LICENSE
README.md
web2intel.rb

README.md

web2intel

###About

Tool to fetch malicious domains and IP lists from sites that publish RSS feeds, delimited text documents, or raw HTML pages.

###Usage

./web2intel.rb <option> <extras>

<option>
--q_mal 			- The Quttera malicious domains database
--q_sus 			- The Quttera suspicious domains database
--q_pot 			- The Quttera potentially suspicious database
--goz 				- Gameover Zeus (GoZeus) list from Bambenek Consulting
--mwdoms 			- DNS-BH – Malware Domain Blocklist
--malware_ta		- Malware-Traffic-Analysis.net domains
--isc_low			- SANS Internet Storm Center LOW confidence block list
--isc_med			- SANS Internet Storm Center MEDIUM confidence block list
--isc_high			- SANS Internet Storm Center HIGH confidence block list
--sucuri_iframe		- Sucuri scanner identified iframe compromised web site list
--sucuri_redirect	- Sucuri scanner identified conditional redirections list (based on user agents or referers)
--sucuri_js			- Sucuri scanner identified encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call list
--webins 			- Comodo Web Inspector malicious, suspicious content, and malware site list
--cybersitter		- CYBERsitter Malicious Web Site Filter: Top 100 Phishing, Malicious and Suspicious Sites from the past 60 minutes
--twitter			- Twitter username (e.g. andrewsmhay). Do not prepend the '@' symbol
--phishtank			- OpenDNS PhishTank Domains
--cybersitter		- CYBERsitter Malicious Web Site Filter - Top 100
--malc0de			- Malc0de Blocklist
--cybercrime		- Cybercrime Tracker List
--dyndns			- Dynamic DNS Provider List
--nothink			- Malware DNS Network Traffic Blacklist from nothink.org
--vxvault			- VX Vault Last 100 Links
--zeus_dom			- ZeuS Domain Blocklist from abuse.ch
--zeus_ip			- ZeuS IP Blocklist from abuse.ch
--feodo_dom			- Feodo Domain Blocklist from abuse.ch
--feodo_ip			- Feodo IP Blocklist from abuse.ch
--palevo_dom		- Palevo Domain Blocklist from abuse.ch
--palevo_ip			- Palevo IP Blocklist from abuse.ch
--spyeye_dom		- Spyeye Domain Blocklist from abuse.ch
--spyeye_ip			- Spyeye IP Blocklist from abuse.ch

--all 		- Generate a master list of all domains

<extras>
--url		- Extract the fully quaified domain name (FQDN), protocol, port, and directory structure (if available)
--details	- Addtional inline details (if available)

(C) Andrew Hay, 2014
http://www.andrewhay.ca
https://twitter.com/andrewsmhay

####Example 1 - Domains only

$ ./web2intel.rb --sucuri_iframe
#Title: Sucuri Research Labs Hidden iframes list
#2014-07-20 15:08:14 -0700
ads.rzb.ir
www.scs.tv
gvlktdfay.ddns.info
38hartrobertsroad.com
www.bmconsulting.in
niu-sae.com
pgcsolutions.com.au
sterlinghealthmcs.com
gamedev.raconsultants.net
billing.zabiyaka.org
orion.martasegura.com
nioxox.nodoclender.com
joomla.philae.net
it.altervista.org
guessworkhiking.ru
1tvlive.in

####Example 2 - Twitter $ ./web2intel.rb --twitter InternetBadness #Title: Twitter-based intel from twitter.com/InternetBadness #2014-07-25 09:08:18 -0700 93.174.93.218 74.82.47.53 218.77.79.43 199.87.232.182 74.82.47.5 93.174.93.218 212.83.187.182 212.83.187.182 218.77.79.43 93.174.93.218 31.214.169.85 31.214.169.85 74.82.47.61 124.232.142.220 173.208.186.130 173.208.186.130 107.183.16.70 107.183.16.70 218.77.79.43 74.82.47.57

###Support

For any questions, bugs, or concerns, please use the GitHub issue submission system and/or reach out to @andrewsmhay on Twitter.

(C) Andrew Hay, 2014

You can’t perform that action at this time.