Contribute: Feeds List

[SYNchroACK]

If you want to contribute creating some bots in order to collect more information, pick one of these feeds:

• [ ] 1d4 https://1d4.us/archive/ offline
• [ ] Abuse.ch (RSS) https://sslbl.abuse.ch/blacklist/
• [x] Abuse.ch (RSS) https://feodotracker.abuse.ch/blocklist/
• [x] Abuse.ch (RSS) https://palevotracker.abuse.ch/blocklists.php discontinued
• [ ] Abuse.ch (RSS) https://spyeyetracker.abuse.ch/blocklist.php discontinued
• [x] Abuse.ch (RSS) https://zeustracker.abuse.ch/blocklist.php
• [ ] Abusix http://abusix.org/service/spamfeeds offline
• [ ] ADB Lock Plus https://easylist-msie.adblockplus.org/malwaredomains_full.tpl
• [ ] Affairedhonneur http://qwe.affairedhonneur.us/depqfie59y offline
• [ ] Animus Project https://github.com/animus-project/threat_data offline
• [ ] Anti Hacker Alliance https://anti-hacker-alliance.com/
• [ ] Arbor FastFlux http://atlas.arbor.net/summary/fastflux discontinued
• [ ] APWG
• [ ] Bad IPs https://www.badips.com
• [x] Bambenek Consulting http://osint.bambenekconsulting.com/feeds/
• [ ] Berkeley https://security.berkeley.edu/aggressive_ips/ips
• [ ] Binary Defense https://www.binarydefense.com/
• [ ] Bit Cash http://bitcash.cz/misc/log/blacklist redirects
• [ ] Blade-Defender http://www.blade-defender.org/eval-lab/ offline
• [x] Blueliv https://www.blueliv.com/enterprise-solution/#threat-intelligence-feed
• [x] BlutMagie http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv in tor_nodes included
• [ ] BlutMagie http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
• [ ] BlutMagie http://torstatus.blutmagie.de/query_export.php/Tor_query_EXPORT.csv
• [ ] Botscout http://botscout.com/last_caught_cache.htm
• [ ] Brawg http://www.brawg.com/ unreachable
• [ ] Callback Domains http://callbackdomains.wordpress.com
• [ ] Carbon Black https://github.com/carbonblack/cbfeeds
• [ ] CERT.org http://www.cert.org/downloads/mxlist.ips.txt 404
• [ ] Chaos Reigns http://www.chaosreigns.com/iprep/iprep.txt
• [ ] Chaos Reigns http://www.chaosreigns.com/spam/
• [ ] Critical Stack https://intel.criticalstack.com
• [ ] Cruzit http://www.cruzit.com/xwbl2txt.php
• [ ] Cyber Crime Tracker http://cybercrime-tracker.net/all.php
• [ ] Cydef https://cydef.us/torexit.txt
• [x] Dan.me https://www.dan.me.uk/torlist/ in tor_nodes included
• [ ] Deny Hosts http://stats.denyhosts.net/stats.html
• [ ] DNS DB https://api.dnsdb.info
• [ ] Dyn DNS http://security-research.dyndns.org/pub/
• [x] Emerging Threats http://rules.emergingthreats.net/ same as in tor_nodes
• [ ] Facebook Threat Exchange https://developers.facebook.com/docs/threat-exchange
• [ ] Falconcrest http://www.falconcrest.eu/IPBL.aspx
• [ ] FilterLists https://filterlists.com
• [ ] Firehol IPList https://iplists.firehol.org/
• [ ] Geo SPY http://www.geopsy.org/blacklist.html 404
• [ ] Gofferje http://stefan.gofferje.net/sipblocklist.zone
• [ ] GPF Comics https://www.gpf-comics.com/dnsbl/export.php
• [ ] Google Webmaster Alerts https://www.google.com/webmasters/
• [ ] Greensnow https://blocklist.greensnow.co/greensnow.txt
• [ ] H3X http://atrack.h3x.eu/ offline
• [ ] Hosts File http://hosts-file.net/?s=Download
• [ ] Hybrid Analysis https://www.hybrid-analysis.com/docs/api/v2
• [ ] IBM X-Force Exchange https://exchange.xforce.ibmcloud.com/
• [ ] Inflitrated http://www.infiltrated.net/blacklisted offline
• [ ] Inflitrated http://www.infiltrated.net/vabl.txt offline
• [ ] Inflitrated http://www.infiltrated.net/voipabuse/netblocks.txt offline
• [ ] Inflitrated http://www.infiltrated.net/webattackers.txt offline
• [ ] ISC SANS https://isc.sans.edu/feeds/suspiciousdomains_High.txt
• [ ] ISC SANS https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
• [ ] ISC SANS https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
• [ ] ISC SANS https://isc.sans.edu/ipsascii.html
• [ ] ISightPartners http://www.isightpartners.com/
• [x] Jeek http://jsunpack.jeek.org/dec/go?list=1 Host unreachable
• [ ] Joewein http://www.joewein.net
• [ ] Joxeankoret http://joxeankoret.com/services.html
• [ ] Kids Clinic JP http://www.kids-clinic.jp/uni/ipaddress/new_log No data, last updated 2012-01
• [ ] Kolatzek http://robert.kolatzek.org/possible_botnet_ips.txt Error 404
• [x] Malc0de http://malc0de.com/rss
• [ ] Malekal http://malwaredb.malekal.com/export.php?type=url
• [ ] Malekal http://www3.malekal.com/exploit.txt server not found
• [ ] Malekal http://www3.malekal.com/malwares/ server not found
• [ ] Malekal http://malwaredb.malekal.com/index.php
• [ ] Malshare https://malshare.com/
• [ ] Malwr Sandbox API Malwr https://malwr.com/ (temporarily?) offfline
• [ ] Malware BlackList http://www.malwareblacklist.com/mbl.xml server not found
• [ ] Malware BlackList http://www.malwareblacklist.com/showMDL.php server not found
• [ ] Malware.br http://www.malware.com.br/cgi/submit?action=list discontinued -> malwarepatrol
• [ ] Malware Config http://malwareconfig.com
• [ ] Malwared http://malwared.ru/db/fulllist.php Offline
• [x] MalwareDomains http://mirror1.malwaredomains.com/files/domains.txt
• [ ] MalwareDomains http://mirror2.malwaredomains.com/files/dynamic_dns.txt 404
• [ ] MalwareDomains http://mirror3.malwaredomains.com/files/justdomains
• [ ] MalwareDomains http://www.malwaredomainlist.com/hostslist/ip.txt
• [ ] MalwareDomains http://www.malwaredomainlist.com/hostslist/mdl.xml
• [ ] MalwareDomains http://www.malwaredomainlist.com/hostslist/yesterday_urls.php
• [x] MalwareDomains http://www.malwaredomainlist.com/updatescsv.php
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/delisted.txt
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/hosts.txt
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/ip.txt
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/mdl.xml
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/spyeye.xml
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/yesterday.php
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/yesterday_urls.php
• [ ] MalwareDomainList http://www.malwaredomainlist.com/hostslist/zeus.xml
• [ ] MalwareDomainList http://www.malwaredomainlist.com/mdlcsv.php
• [ ] MalwareDomainList http://www.malwaredomainlist.com/updatescsv.php
• [ ] MalwareDomainList http://www.malwaredomainlist.com/zeuscsv.php
• [ ] MalwareInt http://malwareint.com
• [ ] Manity http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz
• [ ] Marc Blanchard DGA Domains http://www.marc-blanchard.com/BotInvaders/index.php
• [ ] Martin Cyber http://intel.martincyber.com/ip/ server not found
• [ ] MaxMind Proxies https://www.maxmind.com/en/anonymous_proxies
• [ ] Minotaur Analysis http://minotauranalysis.com/malwarelist.aspx 404
• [ ] Minotaur Analysis http://minotauranalysis.com/malwarelist-urls.aspx 404
• [ ] mwdb.cert.pl https://mwdb.cert.pl/
• [ ] mIRC http://www.mirc.com/servers.ini
• [ ] Monzymerza https://github.com/monzymerza/parthenon
• [ ] Multiproxy http://multiproxy.org/txt_all/proxy.txt
• [ ] MVPS http://mvps.org
• [x] n6 http://n6.cert.pl
• [x] Nothink http://www.nothink.org/blacklist/blacklist_malware outdated
• [x] Nothink http://www.nothink.org/blacklist/blacklist_malware_dns.txt outdated
• [x] Nothink http://www.nothink.org/blacklist/blacklist_malware_http.txt outdated
• [x] Nothink http://www.nothink.org/blacklist/blacklist_malware_irc.txt outdated
• [x] Nothink http://www.nothink.org/blacklist/blacklist_snmp_2015.txt outdated
• [x] Nothink http://www.nothink.org/blacklist/blacklist_ssh 404
• [x] Nothink http://www.nothink.org/blacklist/blacklist_ssh_day.txt #782
• [ ] Malwr https://malwr.com/ (temporarily?) offfline
• [ ] Null Secure http://nullsecure.org
• [x] OpenBL http://www.openbl.org/lists/
• [x] OpenPhish http://openphish.com/feed.txt
• [ ] PacketMail https://www.packetmail.net/iprep_mail.txt
• [ ] PacketMail https://www.packetmail.net/iprep_perimeterbad.txt 404
• [ ] PacketMail https://www.packetmail.net/iprep.txt
• [ ] Payload Security http://payload-security.com
• [ ] PHP Black http://poste.it-postepay4.phpblack.com/ server not found
• [ ] Project Honeypot (#284) http://www.projecthoneypot.org/list_of_ips.php?rss=1
• [ ] Prometheus Group http://downloads.prometheus-group.com/delayed/rules/modsec/domain-blacklist.txt broken redirect/offline
• [ ] Proxylists http://proxylists.me broken redirect/offline
• [ ] ProxySpy http://txt.proxyspy.net/proxy.txt 418
• [ ] Sacour http://www.sacour.cn
• [ ] Sender Base http://www.senderbase.org/home/detail_virus_source
• [ ] Sigma Projects https://blocklist.sigmaprojects.org/
• [ ] ShadowServer Sandbox API http://www.shadowserver.org/wiki/pmwiki.php/Services/Sandboxapi
• [ ] Skygeo JP http://sky.geocities.jp/ro_hp_add/ro_hp_add_hosts.txt
• [ ] Snort http://labs.snort.org/feeds/ip-filter.blf
• [ ] Snort http://labs.snort.org/iplists/ 404
• [x] SPAMHaus http://www.spamhaus.org/drop/drop.txt
• [x] SPAMHaus http://www.spamhaus.org/drop/edrop.txt
• [ ] Spamhaus BGP feed (BGPf) https://www.spamhaus.org/bgpf/
• [ ] Spys RU http://spys.ru/proxies/ 503
• [ ] SRI http://www.mtc.sri.com/live_data/attackers/
• [ ] SSH BL http://www.sshbl.org/list.txt
• [ ] Steeman http://jeroen.steeman.org/FS-PlainText
• [ ] SteveBlack Hosts File https://github.com/StevenBlack/hosts
• [ ] StopForumSPAM http://www.stopforumspam.com/downloads/
• [ ] Surriel rsync://psbl-mirror.surriel.com/psbl/psbl.txt
• [x] t-Arend http://www.t-arend.de/linux/badguys.txt Last updated 2009-09-06
• [ ] TheCyberThreat http://thecyberthreat.com/cyber-threat-intelligence-feeds/
• [ ] The Haleys http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
• [ ] Threat Grid http://www.threatgrid.com/
• [ ] ThreatCrowd https://www.threatcrowd.org/feeds/domains.txt
• [ ] ThreatCrowd https://www.threatcrowd.org/feeds/ips.txt
• [ ] ThreatCrowd https://www.threatcrowd.org/feeds/hashes.txt
• [ ] TOR Project https://check.torproject.org/exit-addresses
• [ ] TotalHash http://totalhash.com
• [ ] Trailswest http://aveconomic.trailswest.org:15106/haddan_files/stories.php server not found
• [ ] Threatstream https://ui.threatstream.com/
• [ ] TrustedSec https://www.trustedsec.com/banlist.txt redirect
• [ ] UCE Protect http://wget-mirrors.uceprotect.net/
• [ ] URI BL http://rss.uribl.com/index.shtml
• [ ] URL Query http://urlquery.net/index.php
• [ ] Vir BL https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.bind offline
• [ ] Virustotal https://www.virustotal.com/gui/home/search
• [ ] Voipbl http://www.voipbl.org/update/
• [x] VX Vault http://vxvault.siri-urz.net/
• [ ] YourCMC http://vmx.yourcmc.ru/BAD_HOSTS.IP4
• [ ] Yoyo http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml These are ad servers

[helderfernandes1279]

OMG!! So much juice.......!!!!!!

Tomas i'm wondering, how can we evaluate the false positives or false negatives with this huge amount of intel.....this kind of stuff makes me think that the event record structure should have some kind of field that would represent the level of trust the collected info.....

[SYNchroACK]

I think @mauroasilva is one step ahead heheh :)

https://github.com/certtools/intelmq/pull/381

[helderfernandes1279]

Always late hehehe:)

[SYNchroACK]

• [ ] Malwr https://malwr.com/

[sebix]

I converted the original list to a checklist and marked the implemented ones, so have a better overview.

[aaronkaplan]

cool, thx. Added n6

[sebix]

• [ ] Spamhaus BGP feed (BGPf) https://www.spamhaus.org/bgpf/

[aaronkaplan]

• [ ] APWG's ecrimex: https://www.ecrimex.net

[sebix]

• [x] Nothink DNS: http://www.nothink.org/honeypot_dns.php

[sebix]

• [ ] HP Feeds

[SYNchroACK]

• [ ] MalwarePatrol (add more sources)

[ghost]

New shadowserver feeds:

• [x] accessible SMB: https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-SMB
• [x] open DB2: https://db2scan.shadowserver.org/

[ghost]

• [ ] defacer.id
• [x] zone-h

[dmth]

• [x] accessible SMB: https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-SMB

@cert-bund has done this. Currently I'm reviewing the config. PR will come soon. PR https://github.com/certtools/intelmq/pull/1028

[chorsley]

PR for Zone-H's CSV email feed: #1015 (note this is a country-code specific feed, rather than scraping the public RSS feed - that may be separate if there's demand).

[kruisdraad]

Hi,

Vir BL https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.bind

no longer exists

[ghost]

@kruisdraad Thanks, removed it from the list

[kruisdraad]

these dont work either:

http://abusix.org/service/spamfeeds http://qwe.affairedhonneur.us/depqfie59y https://github.com/animus-project/threat_data https://1d4.us/archive/ http://www.blade-defender.org/eval-lab/ http://www.infiltrated.net/ [all of them]

either 404, no DNS or perm loading screen

[ghost]

@kruisdraad Thanks for checking them. I marked them as offline in the above list.

[ghost]

• [ ] https://www.openbugbounty.org/

[ghost]

• [x] https://urlhaus.abuse.ch/

[ghost]

List of feeds: https://threatfeeds.io/

[SYNchroACK]

bitcash is terminated https://bitcash.cz/misc/log/blacklist

[ghost]

https://github.com/NRDCS/intelmq/tree/certlt/intelmq/bots

[ghost]

https://github.com/ntddk/virustream

[ghost]

shodan search API

[ghost]

http://www.marc-blanchard.com/BotInvaders/index.php

[ghost]

Added:

• Anti Hacker Alliance https://anti-hacker-alliance.com/
• APWG
• Facebook Threat Exchange https://developers.facebook.com/docs/threat-exchange
• Firehol IPList https://iplists.firehol.org/
• Google Webmaster Alerts https://www.google.com/webmasters/
• Greensnow https://blocklist.greensnow.co/greensnow.txt
• Hybrid Analysis https://www.hybrid-analysis.com/docs/api/v2
• Threatstream https://ui.threatstream.com/
• mwdb.cert.pl https://mwdb.cert.pl/
• UCE Protect http://wget-mirrors.uceprotect.net/

[ghost]

Added:

• malshare.com https://malshare.com/
• Virustotal https://www.virustotal.com/gui/home/search

[pettai]

Arbor FastFlux is no more...

[bernhardreiter]

Shouldn't we place this in a wiki page or in a file, so we get a consolidated list and the ability of more people to edit it? :)

[ghost]

Arbor FastFlux is no more...

Thanks, updated the list

Shouldn't we place this in a wiki page or in a file, so we get a consolidated list and the ability of more people to edit it? :)

I don't really like the idea of keeping it in a file, as the list is independent of the rest and doesn't need versioning etc. It's also much easier to comment here instead of creating pull requests.

For the wiki: I'm in favor of it, but the wiki here has been deactivated a few years ago. @aaronkaplan what do you think about it?

[bernhardreiter]

A file could be the best available solution to get

• a consolidated, up-to-date-version
• ability to be maintained by more persons

And it is related to the IntelMQ code base, because it shows the current state of wished-for additional feeds. ;)