-
Notifications
You must be signed in to change notification settings - Fork 0
feed families
You will learn the six feed families, when to use each one, and how to decide which family fits your use case.
| Family | Description | Example |
|---|---|---|
| Source feed | Direct upstream feed from HTTP/HTTPS/local file |
dshield — downloads DShield block list every 10 minutes |
| Static feed | IP/CIDR list defined directly in YAML |
critical_public_dns_core — curated list of public DNS resolvers |
| Artifact-backed child | Feed derived from a downloaded artifact parent |
dronebl_anonymizers — extracted from the DroneBL buildzone artifact |
| History derivative | Time-window feed from a parent's retained snapshots |
dshield_1d — all IPs seen in DShield during the last 24 hours |
| Merge | Synthetic feed composed from other feeds |
firehol_level1 — union of dshield, feodo, fullbogons, spamhaus_drop |
| Provider database | ASN, GeoIP, or bogon enrichment source |
maxmind_geolite2_asn — IP-to-ASN mapping database |
I have an upstream URL that publishes IPs or CIDRs.
Use a source feed. Set url, frequency, output, and processor.
I have a small curated list that operators should customize.
Use a static feed. Set static: with the IP/CIDR list. Set frequency: 0 for config-change-only updates.
The upstream publishes a single large file containing multiple feed categories.
Use an artifact parent with artifact-backed children. Define the artifact in artifacts/, then define child feeds that reference it with artifact://<name>?parts=<parts>.
I want "all IPs seen in the last N days" for an existing feed.
Use a history derivative. Add history: to the parent source or merge definition.
I want to combine multiple feeds into one, with optional exclusions.
Use a merge. Define it in merges/ with sources and optional exclude.
I have ASN, GeoIP, or bogon reference data that enriches other feeds.
Use a provider database or provider-style source. Configure ASN and GeoIP databases with use: [asn] or use: [geoip]. Configure bogon reference sets with use: [bogons]; they still publish normal set files when they are not hidden.
- Source Feeds — direct upstream feeds
- Static Feeds — config-backed curated lists
- Merge Feeds — composed feeds with union/exclude
- Artifact Parents — downloadable artifacts that produce child feeds
- History Derivatives — time-window feeds from parent history
- Provider Databases — ASN, GeoIP, and bogon enrichment sources
- Daemon Command Reference
- Environment Variables
- Configuration Reload
- Listener Topologies
- Admin Authentication
- Feed Families
- Source Feeds
- Processor Reference
- Static Feeds
- Merge Feeds
- Artifact Parents
- History Derivatives
- Provider Databases
- Use Roles
- Critical Infrastructure Reference Feeds
- Legal Fields
- Feed Visibility & Lifecycle
- YAML Field Reference
- Pipeline Overview
- Download Lifecycle
- Processing Lifecycle
- Feed Status Reference
- Health Classes
- What Triggers Reprocessing
- Accessing the Admin
- Runtime Status
- Feed Inventory
- Artifact Inventory
- Live Queues
- Background Work
- Schedule State
- Operator Actions
- Enable & Disable