gdbassett
commented
9 years ago Can use the https://foospidy.com/opt/honeydb/bad-hosts list. Description from https://foospidy.com/opt/honeydb/threats:
Threat Intelligence HoneyDB provides a free threat intelligence feed of "bad hosts". A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat. If you see connectivity from any of these hosts on your network it may be malicious and may require some investigation.
You can download all bad host data by directly access the URL below. The data is provided in JSON format. The feed is made up of the following three fields: remote_host - The IP address of the bad host. count - The number of connections made by the bad host. last_seen - The date of the connection made by the bad host.
Find a threat feed of honeypot detections and import it with a minion.