There are several existing projects in GitHub that aggregate several sources to come up with a list of Command and Control Servers. This IP Address, are useful to be integrated into SIEM or alerting solutions as IOCs.
This service is usually commercialized on "Next Generation Firewalls" When new connections been established are matched to private list of known malicious IP Address.
Therefore is important to separate the Threat Feed, from the Network Flow information. Having such a Thread feed can be integrated into other networks via Netflow, Logs or other means.
Requirements
Identify sources of C&C (primarily) and other Malicious IP Address sources, and write a Python CLI tool to download and aggregate the data. Later this data will be made available as hourly updated dumps, or via an API - DNS Queries.
Take a look at maltrail (https://github.com/stamparm/maltrail) it supports a large amount of Blacklist. Maybe implement to extract the same collection mechanism.
Take a look at this feeds, from MISP, it shows multiple feeds, but its not sure if they are all already integrated. https://www.misp-project.org/feeds/ Theres a client in python written for this Feeds, that could be used as a library. https://github.com/MISP/PyMISP
rothoma2
commented
6 months ago
The Problem.
There are several existing projects in GitHub that aggregate several sources to come up with a list of Command and Control Servers. This IP Address, are useful to be integrated into SIEM or alerting solutions as IOCs.
This service is usually commercialized on "Next Generation Firewalls" When new connections been established are matched to private list of known malicious IP Address.
Therefore is important to separate the Threat Feed, from the Network Flow information. Having such a Thread feed can be integrated into other networks via Netflow, Logs or other means.
Requirements
Identify sources of C&C (primarily) and other Malicious IP Address sources, and write a Python CLI tool to download and aggregate the data. Later this data will be made available as hourly updated dumps, or via an API - DNS Queries.
Take a look at maltrail (https://github.com/stamparm/maltrail) it supports a large amount of Blacklist. Maybe implement to extract the same collection mechanism.
Take a look at this feeds, from MISP, it shows multiple feeds, but its not sure if they are all already integrated. https://www.misp-project.org/feeds/ Theres a client in python written for this Feeds, that could be used as a library. https://github.com/MISP/PyMISP
https://otx.alienvault.com/api Look into AlientVault Threat Intel for C&Cs.
https://support.kaspersky.com/cyber-trace/4.3/175360
Integrated additional sources.