IOC Sources - Homas/ioc2rpz GitHub Wiki

IOC Sources

This page contains list of the sources which can be used to build RPZs. The list is not comprehensive (and can not be comprehensive) if you find a new good source of IOC, please share. The list is organized by date when a source was added. Some sources requires a subscription, so please check descriptions before copy/paste.

Infoblox BloxOne Threat Defense TIDE

Subscription
URL: https://www.infoblox.com/products/bloxone-threat-defense/

IPs with expiration

Sample BloxOne Threat Defense TIDE IP source with IOCs expiration time.

{source,{"at_ip_w_exp","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/ip?profile=IID&field=ip,expiration&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.

Domains

Sample BloxOne Threat Defense TIDE Host source without IOCs expiration time. It is recommended to use expiration time.

{source,{"at_hosts","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/host?profile=IID&field=host&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

IPv4 converted to IPv6

Sample BloxOne Threat Defense TIDE IPv4 feed converted to IPv6 feed for IPv6 only networks.
This examples highlights how to use "shell" source type to preprocess threat indicators before passing them to ioc2rpz.

{source,{"TIDE_IPv6","shell:/usr/bin/curl -sL 'https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/ip?profile=IID&field=ip,expiration&data_format=csv&no_headers=yes' | gawk -F '[.,]' --non-decimal-data '{ printf \"::ffff:%x%0.2x:%x%0.2x,%s\\n\", $1, $2, $3, $4, $5 }'","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9:][:A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.

RPZ/DNS Firewall Feeds

Subscription Subscription

You can use an universal shell: source type to fetch RPZ feeds. In the example below you need to provide TSIG key and a server name or IP. base.rpz.infoblox.local is used as a sample feed name. You may use full feed name or just part to extract a domain/fqdn from a rule (awk command).

{source,{"base.rpz","shell:/usr/bin/dig -y **KEYNAME**:**TSIGKEY** @**SERVER** **base.rpz.infoblox.local** axfr | /bin/grep -e CNAME | /bin/grep -v '*.' | /usr/bin/awk -F '.base.rpz' '{print $1}'","",none}}.

NetLab

Subscription
URL: http://data.netlab.360.com

All DGA (about 1m indicators)

{source,{"dga","http://data.netlab.360.com/feeds/dga/dga.txt","[:AXFR:]","^[^\s\t]*[\s\t]*([A-Za-z0-9][A-Za-z0-9\-\._]+)[\s\t]*.*:00[\s\t]*([0-9: -]+)$"}}.

DGA Blackhole

{source,{"blackhole","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

DGA Blackhole with Expiration

This is a sample zone with IOC expiration. Usually expiration date is not required for DGA, because the zone can be timely updated.

{source,{"blackhole_exp","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^([A-Za-z0-9][A-Za-z0-9\-\._]+)\t.*:00\t([0-9: -]+)$"}}.

DGA Cryptolocker

{source,{"cryptolocker","http://data.netlab.360.com/feeds/dga/cryptolocker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

DGA Conficker

{source,{"conficker","http://data.netlab.360.com/feeds/dga/conficker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.

Hajime Botnet

{source,{"bot.list","http://data.netlab.360.com/feeds/hajime-scanner/bot.list","[:AXFR:]","ip=([0-9\.]+)$"}}.

Other DGA

Other DGA lists you can find on the NetLab web-site.

MaxMind Geo database

Subscription Subscription

Using MaxMind's DB you can built RPZs which will prevent an access to specific countries or cities. Minimal local file processing is required:

  • unzipping the file;
  • filtering counties/cities to which an access should be restricted.

http://dev.maxmind.com/geoip/geoip2/geolite2/#MaxMind_APIs
http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip

North Korea block list

{source,{"geo_north_korea","file:cfg/GeoLite2-Country-Blocks-IPv4.csv","[:AXFR:]","^([^,]+),.*1873107.*"}}.

Notracking [2018-07-18]

Subscription
URL: https://github.com/notracking/hosts-blocklists
Description: No more ads, tracking and other virtual garbage. This repository provides a host and domain name based blocklist. Most entries are gathered from multiple, actively maintained sources and automatically updated, cleaned, optimized and moderated on a daily basis. The blocklists support both ipv4 and ipv6.

{source,{"notracking_hosts","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt","[:AXFR:]","^0\.0\.0\.0 ([A-Za-z0-9\._\-]+[A-Za-z])$"}}.
{source,{"notracking_domains","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt","[:AXFR:]","^address=\/([A-Za-z0-9\._\-]+[A-Za-z])\/0\.0\.0\.0$"}}.

Phishtank

Subscription
URL: https://www.phishtank.com Description: PhishTank is a free community site where anyone can submit, verify, track and share phishing data. The source contains only phishing domains (URLs are not included) and IPs.

{source,{"phishtank","shell:/usr/bin/curl -sL http://data.phishtank.com/data/**APIKEY**/online-valid.csv | /usr/bin/gawk 'matc
h($0,/^[0-9]+,[^\\/]*\\/\\/([^\\/]+)\\/?,[^,]+,[^,]+,yes,/,a) {print a[1]}' | sort | uniq","[:AXFR:]",none}}.