Additional sources to evaluate

[krmaxwell]

We have some of these but need to evaluate the list for possible additional stuff.

---

http://1d4.us/archive/network-28-07-2014.txt http://1d4.us/archive/network-29-07-2014.txt http://1d4.us/archive/ssh-28-07-2014.txt.txt http://1d4.us/archive/ssh-29-07-2014.txt.txt http://1d4.us/archive/ssh-today.txt http://1d4.us/archive/today.txt http://atlas-public.ec2.arbor.net/public/ssh_attackers http://bitcash.cz/misc/log/blacklist http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt http://cybercrime-tracker.net/all.php http://danger.rulez.sk/projects/bruteforceblocker/blist.php http://feodotracker.abuse.ch/blocklist.php?download=ipblocklist http://jeroen.steeman.org/FS-PlainText http://lists.blocklist.de/lists/all.txt http://lists.clean-mx.com/pipermail/phishwatch/20140729.txt http://lists.clean-mx.com/pipermail/phishwatch/20140730.txt http://lists.clean-mx.com/pipermail/viruswatch/20140729.txt http://lists.clean-mx.com/pipermail/viruswatch/20140730.txt http://malc0de.com/bl/IP_Blacklist.txt http://multiproxy.org/txt_all/proxy.txt http://osint.bambenekconsulting.com/feeds/goz-iplist.txt http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-tor.rules http://stefan.gofferje.net/sipblocklist.zone http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv http://un1c0rn.net/?module=hosts&action=list&page=1 ... http://un1c0rn.net/?module=hosts&action=list&page=200 http://vmx.yourcmc.ru/BAD_HOSTS.IP4 http://vxvault.siri-urz.net/URL_List.php http://www.autoshun.org/files/shunlist.csv http://www.ciarmy.com/list/ci-badguys.txt http://www.cruzit.com/xwbl2txt.php http://www.falconcrest.eu/IPBL.aspx http://www.infiltrated.net/blacklisted http://www.infiltrated.net/vabl.txt http://www.infiltrated.net/voipabuse/netblocks.txt http://www.infiltrated.net/webattackers.txt http://www.malwaredomainlist.com/hostslist/ip.txt http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/ http://www.nothink.org/blacklist/blacklist_malware_dns.txt http://www.nothink.org/blacklist/blacklist_malware_http.txt http://www.nothink.org/blacklist/blacklist_malware_irc.txt http://www.nothink.org/blacklist/blacklist_ssh_day.txt http://www.openbl.org/lists/base_1days.txt http://www.spamhaus.org/drop/drop.txt http://www.spamhaus.org/drop/edrop.txt http://www.stopforumspam.com/downloads/listed_ip_1_all.zip http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt http://www.voipbl.org/update/ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=atma https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=webexploit https://isc.sans.edu/api/sources/attacks/10000/2014-07-30 https://isc.sans.edu/api/topips/records/1000/2014-07-30 https://lists.malwarepatrol.net/cgi/getfile?receipt=f1377916320&product=8&list=smoothwall https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist https://raw.githubusercontent.com/EmergingThreats/et-open-bad-ip-list/master/IPs.txt https://reputation.alienvault.com/reputation.generic https://security.berkeley.edu/aggressive_ips/ips https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist https://www.dan.me.uk/torlist/ https://www.gpf-comics.com/dnsbl/export.php https://www.maxmind.com/en/anonymous_proxies https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

[krmaxwell]

http://www.falconcrest.eu/IPBL.aspx from #64 and https://www.packetmail.net/iprep_perimeterbad.txt from #57 (no point in having multiple issues for the same things)

[norwayfinland]

You may also want to consider adding https://www.packetmail.net/iprep_mail.txt

[krmaxwell]

:+1:

[krmaxwell]

http://hosts-file.net/?s=Browse&f=2015 from #105

[alexcpsec]

Also: http://cybercrime-tracker.net/

[krmaxwell]

@alexcpsec It's in the list, 10th line. :)

[krmaxwell]

There are new Bambenek feeds with a friendly license but I need to check with him about including them here since they're "TLP:GREENish".

[krmaxwell]

https://github.com/animus-project/threat_data

[norwayfinland]

As of Feb 16 2015 this feed is no longer active/enabled:

https://www.packetmail.net/iprep_perimeterbad.txt

Thanks and apologies for any headaches.

[krmaxwell]

https://www.badips.com/

[krmaxwell]

https://exchange.xforce.ibmcloud.com/

[houey]

http://malwaredomains.lehigh.edu/files/domains.txt Appears to be an aggregated list

[houey]

http://www.malware-traffic-analysis.net/suspicious-ip-addresses-and-domains.txt

[krmaxwell]

The dates in that list on lehigh.edu make me, um, a little suspicious of its quality.

[houey]

Understood. It's massive, and apparently not using any obvious aging. I got that one from hailataxii.

[norwayfinland]

Morning fellow punchers of miscreants. You may want to consider the feeds https://www.packetmail.net/iprep_ramnode.txt and https://www.packetmail.net/iprep_CARISIRT.txt. This is the same honeypot code running on packetmail.net (206.82.85.196/30) at https://www.packetmail.net/iprep.txt but deployed on a Netherlands VPS (ramnode) and in the US (Cari). Existing parsers capable of handing 'iprep.txt' should be able to parse these two feeds without issue.

[alexcpsec]

@norwayfinland you guys are the best! We need to get out :hankey: together on version 0.2.0 to ingest all your new awesomeness properly.

[norwayfinland]

Always glad to help my friend, I'm trying to get a deployment over in LACNIC and JPNIC/APNIC land for a different demographic sampling. Hopefully this can happen sometime soon and I'll update this thread with the respective URLs. Glad I'm able to have a nominal contribution back to the greater security community itself.

[alexcpsec]

@norwayfinland just to confirm, this is all activity hitting a low interaction honeypot you have, right?

If so, I will file it under "inbound"

[norwayfinland]

"Inbound" and low interaction is a great classification. The system is completely passive and is highly opportunistic in nature.

[juju4]

While comparing different tools, I'm adding the following to the list. As I was intending to add them in a pull request, I realize I might want few informations first: any way to specify list which are both inbound/outbound, how to give a confidence level, tlp or a tags ? (in a similar way than CIF do for some part)

CIF (https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/spamhaus.yml) http://www.spamhaus.org/drop/drop.txt http://www.spamhaus.org/drop/edrop.txt http://data.phishtank.com/data/online-valid.json.gz http://s3.amazonaws.com/alexa-static/top-1m.csv.zip http://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses http://danger.rulez.sk/projects/bruteforceblocker/blist.php http://www.mirc.com/servers.ini http://cybercrime-tracker.net/all.php

from https://github.com/tomchop/malcom/ https://www.dan.me.uk/tornodes http://atrack.h3x.eu/api/asprox_full_csv.php http://www.malwaredomainlist.com/hostslist/mdl.xml http://malwared.malwaremustdie.org/rss.php http://www.malwaredomainlist.com/hostslist/mdl.xml

from https://github.com/jonschipp/mal-dnssearch http://labs.snort.org/feeds/ip-filter.blf http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt http://rules.emergingthreats.net/open/suricata/rules/botcc.rules http://rules.emergingthreats.net/open/suricata/rules/tor.rules http://secure.mayhemiclabs.com/malhosts/malhosts.txt https://raw.githubusercontent.com/jonschipp/mal-dnssearch/master/mandiant_apt1.dns

from https://github.com/jpsenior/threataggregator http://www.binarydefense.com/banlist.txt https://sslbl.abuse.ch/blacklist/sslipblacklist.csv

Ponmocup (http://mcaf.ee/vw6ja) http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt

[norwayfinland]

I would not classify or rate these threads, if you do, you present and assert a classification without fully understanding the nature of the back end. It also potentially feeds the false economy around artificial decision making without subjective and objective review of the data points. Why classify at all, couldn't the ingestion system weight accordingly? Essentially we should be presenting data and allowing the ingestion source to weight according to their criteria not making assumptions around scoring to their need. With the utmost respect I hope this makes sense my friend.

Cheers, Nathan

[juju4]

Hello Nathan,

No problem on classification point, that's a design choice. Can be done later but some time suggestion helps :)

Any feedback on integration feed which are inbound+outbound? Or just do one direction and review later? Did a test and works well for spamhaus and sslbl, nok for dan tornodes https://github.com/juju4/combine/commit/01f323aafab735c2089a4b498a7863b2a85f907c

Thanks

[alexcpsec]

Hi, Julian. This is a great list. Thanks for doing the comparisons with other tools

You should look at the way the dev branch is organized. We have completely rewrote the way feeds are added and processed in a much more extensible "plugin" format. You will find it is way easier to add your confidence / severity scores per feed or per feed entry if they have if there.

As for the 'inbound/outbound' we are happy to review later, but as a rule of thumb, any sort of potential threat that is trying to get IN an organization (Scanning bots or machines / Spam senders) should be classified as inbound and anything that requires the organization to reach OUT to be infected (Phishing links / malware droppers / CnC hosts) should be classified as outbound.

We would really appreciate if you could work on some plugins for this entries with a pull request to our dev branch. Please review our contributing guidelines and reach out if you have any questions.

[juju4]

I did some update on dev (vs my initial work on master) see https://github.com/juju4/combine/tree/dev

still work in progress