the Torproject Analyzer uses the Tor exit nodes list, whereas the dan.me.uk list includes all nodes (also entry and intermediary relays). It may be debatable if only the exit nodes are of interest - surely if you are looking at their roles as senders. However, if you look at outgoing traffic (possible C2) yo also want to match against the bridges and entry relay nodes, as this could identify malware. I would advocate to actually use the full list of tor nodes found at dan.me.uk, or provide another Analyzer that uses this list
Possible implementation
just basically copy/paste TorProject one and change the results based on the type of the node
Name
Tor_Nodes_DanMeUk
Link
Extract lists of all Tor nodes from this site periodically: https://www.dan.me.uk/tornodes
Type of analyzer
observable for IP addresses only
Why should we use it
An user requested this:
Possible implementation
just basically copy/paste TorProject one and change the results based on the type of the node