1 | Master "Security Feeds" List. This list is a collection of the known community and commercial feed list. The objective is to provide organizations with a tool to find sources of the black list, threat feeds, and other security data sources that can be used for insight into violations into their network, prevent violations into the network and possibly detect violations into the network. As seen by research over the last few years, no one list can provide complete coverage. The challenge is to find the right mix that meets their organization's threat/risk profile. | Action List | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
2 | |||||||||||
3 | Name of the Feed | URL | Cost | Function | csirtgadgets/massive-octo-spice | Data Source | Turing the List Into Action | RPZ Capable? | Notes | ||
4 | ✓ | abuse.ch Ramsware Block List | https://ransomwaretracker.abuse.ch/blocklist/ | Free | |||||||
5 | ✓ | Alienvault IP Reputation Database | https://reputation.alienvault.com/reputation.data | Free | IPs listed in OTX are assessed by Reliability and Priority : IP Reliability - AlienVault USM gets this reputation information from different data sources and it is updated periodically. Each data source will have a different reliability rating. If a data source is considered to be less reliable than another, the IPs obtained from this source will have a lower reliability rating than a more reliable datasource. IP Priority - Depending on the behavior the IP address has been involved in the IP priority value can vary. For example, an IP which has been involved in scanning has less priority than an IP which was used as a Botnet server. https://www.alienvault.com/knowledge-base/ip-reputation-explained | ||||||
6 | ✓ | Alienvault IP Reputation Database (Generic) | https://reputation.alienvault.com/reputation.generic | Free | IPs listed in OTX are assessed by Reliability and Priority : IP Reliability - AlienVault USM gets this reputation information from different data sources and it is updated periodically. Each data source will have a different reliability rating. If a data source is considered to be less reliable than another, the IPs obtained from this source will have a lower reliability rating than a more reliable datasource. IP Priority - Depending on the behavior the IP address has been involved in the IP priority value can vary. For example, an IP which has been involved in scanning has less priority than an IP which was used as a Botnet server. | ||||||
7 | ✓ | ATLAS from Arbor Networks | Free; registration required by contacting Arbor | Mainly from Netflow feeds from PeekflowX and the in network collectors | |||||||
8 | ✓ | Autoshun | http://www.autoshun.org/files/shunlist.csv | Free | The input from your logs will be used to identify hostile address that are bots, worms, spam engines which we use to build a shun list for your firewall so that you block the attackers before they enter into your network! | ||||||
9 | ✓ | Bambenek Consulting Feeds | http://osint.bambenekconsulting.com/feeds/ | Free | |||||||
10 | ✓ | Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed | http://www.binarydefense.com/banlist.txt | Free | The ATIF feed may not be used for commercial resale or in products that are charging fees for such services. # Use of these feeds for commerical (having others pay for a service) use is strictly prohibited. | ||||||
11 | ✓ | BLADE Malicious URL Analysis | Shutdown | This project was replaced with: * https://www.metaflows.com/ * https://www.taasera.com/before-the-breach BLADE (Block All Drive-by Download Exploits) is a computer program that was developed by Phillip Porras and Vinod Yegneswaran at SRI International; and Long Lu and Wenke Lee at the Georgia Institute of Technology. BLADE is funded by grants from the National Science Foundation, the United States Army Research Laboratory, and the Office of Naval Research. The program is designed to prevent drive-by download malware attacks.[1][2][3] http://www.csl.sri.com/users/vinod/papers/blade.pdf | |||||||
12 | ✓ | BlockList.de | http://lists.blocklist.de/lists/all.txt | Free | |||||||
13 | ✓ | BOTScout | http://botscout.com/last_caught_cache.htm | Free and Subscription | |||||||
14 | ✓ | Brute Force Blocker List | http://danger.rulez.sk/projects/bruteforceblocker/blist.php | Free | BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team (Which is also available on FreeBSD since version 5.2 is out). Its main purpose is to block SSH bruteforce attacks via firewall. | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/bruteforceblocker.yml | |||||
15 | ✓ | Cinsscore | http://cinsscore.com/list/ http://cinsscore.com/list/ci-badguys.txt | Free | Leveraging data from our network of Sentinel devices and other trusted InfoSec sources, CINS is an IP reputation database that provides an accurate and timely score for any IP address in the world. | ||||||
16 | ✓ | CLEAN-MX Realtime Database: | http://support.clean-mx.de/ http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&format=csv&fields=url,ip,domain&domain= http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&format=csv&fields=url,ip,domain&domain= | Free; XML output available | |||||||
17 | CriticalStack Intel Marketplace | https://intel.criticalstack.com/ | Free; registration required; optimized for Bro | Feeds and a portal | Community Feed Aggregator | ||||||
18 | ✓ | CYMRU Bogon List | Free | There are other services with Team CYMRU | |||||||
19 | ✓ | CYMRU Reputation Feed | https://www.team-cymru.com/reputation-feed.html | Paid | Controller: IP used to control botnets Bot: IP was observed talking with a known botnet C&C Darknet: IP was observed scanning dark IP space for vulnerable hosts Proxy: IP was observed being used as a proxy to connect to the public Internet Router: IP is a router that was observed being used as a proxy | CYMRU Sink Hole Opertions | An hourly XML feed of every IP address that is part of over 3,000 botnets we are tracking (controllers and infected clients) plus five further categories of malicious activity. Along with every Command and Control IP address (C2) for IRC-based, HTTP-based, and P2P-based botnets, there is also a full list of IP addresses known to have communicated with the C2 in the last 60 minutes. | ||||
20 | ✓ | DenyHost | http://stats.denyhosts.net/stats.html | Free | |||||||
21 | ✓ | DGA List | http://osint.bambenekconsulting.com/feeds/dga-feed.txt | Free | Use this as a block list and a remedation list. | Would need to be created as a RPZ List | Created by Bambenek consulting | ||||
22 | ✓ | DShield Blocklist - Top Bad IP Address List | https://www.dshield.org/ipsascii.html https://isc.sans.edu/api | Free | DShield.org Top Bad IP Address List https://www.dshield.org/ipsascii.html?limit=100 (can get up to 10000. Has false positives & private IPs - NOT recommended) | ||||||
23 | ✓ | DShield Highly Predictive Blacklist | https://www.dshield.org/hpbinfo.html | Barter - Send data and get the data. | |||||||
24 | ✓ | DShield.org Recommended Block List | https://www.dshield.org/block.txt | ||||||||
25 | EmergingThreats Lists | http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules http://rules.emergingthreats.net/blockrules/emerging-botcc.rules | Free; includes Known Compromised Host List and Control Server Rules | Looks to be discontinued - https://www.proofpoint.com/us | |||||||
26 | ✓ | evilssh | http://vmx.yourcmc.ru/BAD_HOSTS.IP4 | Free | Hosts having these IPv4 addresses were caught bruteforcing ssh login attempts | ||||||
27 | FireHOL IP Lists | Free; combines several blacklists from other sources | |||||||||
28 | ✓ | Google anti-phishing-email-reply | https://code.google.com/archive/p/anti-phishing-email-reply/ | Free | This project is intended to organize email service provider response to email phishing campaigns that convince the end-user to reply via email with their information. | ||||||
29 | Google Safe Browsing API | Free; programmatic access; restrictions apply | |||||||||
30 | ✓ | Honeypot Project - Directory of Comment Spammer IPs | http://www.projecthoneypot.org/list_of_ips.php?t=p | Free | The list below is comprised of Comment Spammer IPs (limited to the top 25 — login to see more) | ||||||
31 | ✓ | Honeypot Project - Directory of Dictionary Attacker IPs | http://www.projecthoneypot.org/list_of_ips.php?t=d | Free | The list below is comprised of Dictionary Attacker IPs (limited to the top 25 — login to see more) | ||||||
32 | ✓ | Honeypot Project - Directory of Harvester IPs | http://www.projecthoneypot.org/list_of_ips.php?t=h | Free | The list below is comprised of Harvester IPs (limited to the top 25 — login to see more) | ||||||
33 | ✓ | Honeypot Project - Directory of Malicious IPs | http://www.projecthoneypot.org/list_of_ips.php | Free | A list of the Top 25 Malicious IPs; Arranged by their Last Bad Event. | ||||||
34 | ✓ | Honeypot Project - Directory of Spam Server IPs | http://www.projecthoneypot.org/list_of_ips.php?t=s | Free | The list below is comprised of Spam Server IPs (limited to the top 25 — login to see more) | ||||||
35 | HoneySpider | http://www.honeyspider.net/ | |||||||||
36 | ✓ | hpHosts File | http://hosts-file.net/ | Free; limited automation on request | hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. | ||||||
37 | ✓ | Malc0de Database | http://malc0de.com/database/ http://malc0de.com/bl/IP_Blacklist.txt | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/malc0de.yml | ||||||
38 | ✓ | Malware Blacklist | http://www.malwareblacklist.com/ | Free - Partnerships with commercial organizations. | the project houses one of the largest online repository of malicious URLs. We hope the data will help researchers in their understanding of the ever evolving threat landscape | ||||||
39 | ✓ | Malware Domain Blocklist | http://www.malwaredomains.com/ | Free for non-commercial use | |||||||
40 | ✓ | Malware Group | http://www.malwaregroup.com/ipaddresses | Free | |||||||
41 | Malware Patrol’s Malware Block Lists | http://www.malware.com.br/ | Free for non-commercial use | ||||||||
42 | Malware-Control Blacklist | Not contactable | Commercial service; free licensing options available | ||||||||
43 | ✓ | MalwareDomainList.com Hosts List | http://www.malwaredomainlist.com/hostslist/hosts.txt http://www.malwaredomainlist.com/mdl.php?colsearch=All&quantity=All&search= http://mirror1.malwaredomains.com/files/domains.txt | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/malwaredomains.yml | ||||||
44 | ✓ | Malwareint | http://malwareint.com | Subscription | |||||||
45 | ✓ | MalwareURL List | www.malwareurl.com | Commercial service; free licensing options may be available | |||||||
46 | ✓ | MALWR | https://malwr.com/ | Free | Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. | ||||||
47 | mIRC Whitelist | http://www.mirc.com/servers.ini | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/mirc.yml | ||||||||
48 | ✓ | Nictasoft | http://www.nictasoft.com/viruslib | Free | |||||||
49 | ✓ | NoThink.org | http://www.nothink.org/blacklist/blacklist_malware_irc.txt http://www.nothink.org/blacklist/blacklist_ssh_day.txt http://www.nothink.org/blacklist/blacklist_malware_dns.txt | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/nothink_org.yml | I'm Matteo Cantoni, ICT senior security analyst and penetration tester. Here you can find free statistics of my honeypot systems (dns, ssh, telnet, web, snmp, malware archive) and other stuff. I'm an OpenBSD aficionado and occasionally I contribute with the Metasploit project developing modules and porting public exploits. | |||||
50 | ✓ | OpenBL.org Abuse Reporting and Blacklisting | https://www.openbl.org/ https://www.openbl.org/lists.html http://www.openbl.org/lists/base_30days.txt | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/openbl.yml | The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications. For every logged attack an email is sent out to the contacts listed in the whois record and/or the reverse IP SOA information of the attacking hosts IP address, just a few seconds after the attack or scan started. It is our hope that the responsible administrators use the provided information to quickly secure and clean the misused and probably compromised hosts. Additionally the IP gets published on a public blacklist, which is updated every few minutes and contains IP addresses of hosts which attacked any of our currently 40 hosts (all running OpenBSD or some Linux distribution). The hosts are located all around the world and setup to report and log those attempts to a central database, very similar to all the spam blacklists out there. The newest entries are always added to the top of the lists. An attack is logged as retry if the same IP is logged again at least 48 hours later from the same host or from any other host that reports those attacks. To prevent a too high retry count all hosts that report are within different IP ranges from different providers. | |||||
51 | ✓ | OpenPhish | https://openphish.com/ | Phishing sites; free for non-commercial use | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/openphish.yml | ||||||
52 | ✓ | Packet Mail | https://www.packetmail.net/iprep.txt | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/packetmail.yml | The following IP addresses have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk. By using this list in any capacity or capability you release all claims of damages and shall not hold or perceive any liability against the publisher for: damage, unexpected events or results, decision, or reputation damage, even those resulting from wilful or intentional neglect. | |||||
53 | ✓ | ParetoLogic URL Clearing House | http://www.paretologic.com/ | Free for non-commerical use; registration required | |||||||
54 | ✓ | Passive Spam Block List | http://psbl.org/ | Free | simple listing policy: an IP address gets added to the PSBL when it sends email to a spamtrap, that email is not identified as non-spam and the IP address is not a known mail server. | ||||||
55 | Palevotracker | https://palevotracker.abuse.ch/ | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/palevotracker.yml | ||||||||
56 | ✓ | PhishTank Phish Archive | http://www.phishtank.com/phish_archive.php | Free; query database via API | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/phishtank.yml | ||||||
57 | ProxySpy | http://txt.proxyspy.net/proxy.txt | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/proxyspy_net.yml | ||||||||
58 | Project Honey Pot’s Directory of Malicious IPs | Free; registration required to view more than 25 IPs | |||||||||
59 | Ramsonware Abuse | http://ransomware.abuse.ch | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/ransomware_abuse_ch.yml | ||||||||
60 | ✓ | Scumware.org | http://www.scumware.org/ | Free | |||||||
61 | Shadowserver IP and URL Reports | Free; registration and approval required | |||||||||
62 | Sourcefire Vulnerability Research | Free | |||||||||
63 | ✓ | SPAMCOP | https://www.spamcop.net/bl.shtml | Free | |||||||
64 | SPAMHAUS | http://www.spamhaus.org | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/spamhaus.yml | ||||||||
65 | Squidblacklist.org | Paid and free options available | |||||||||
66 | SRI Threat Intelligence Lists | Free; re-distribution prohibited | |||||||||
67 | ✓ | SSH Dictonary Attack | http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt | Free | |||||||
68 | ✓ | SSLBL.Abuse.CH | https://sslbl.abuse.ch/ | Free | SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section. | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/sslbl_abuse_ch.yml | |||||
69 | ✓ | Stop Forum Spam Lists | http://www.stopforumspam.com/downloads/ | Free | |||||||
70 | Sucuri Blacklists | Free; blacklists of sites hosting malware and of IPs scanning networks | |||||||||
71 | ✓ | t-Arend | http://www.t-arend.de/linux/badguys.txt | Free | |||||||
72 | ThreatStop | Paid; free trial available | |||||||||
73 | ✓ | TOR Exit Nodes | https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 http://pastebin.com/raw/PKm9ppYh | Free | This is a list of all Tor exit nodes from the past 16 hours that can contact 1.1.1.1 on port 80 # | ||||||
74 | ✓ | URIBL | http://uribl.com/datafeed.shtml | Subscription | |||||||
75 | ✓ | URL Blacklist | http://urlblacklist.com/ | Paid; first download free | This is a commercial managed URL blacklist service. The bulk of the entries are downloaded from various free sites. | ||||||
76 | ✓ | URLQuery | http://urlquery.net/index.php | Free | urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis. | ||||||
77 | ✓ | Virbl-project | http://virbl.org/download/virbl.dnsbl.bit.nl.txt | Free | |||||||
78 | ✓ | VxVault | http://vxvault.siri-urz.net/ViriList.php | Free | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/vxvault.yml | ||||||
79 | ✓ | ZeuS Tracker Blocklist and URLs | https://zeustracker.abuse.ch/blocklist.php | Free | The abuse.ch ZeuS Tracker help you to track ZeuS Command&Control servers (C&Cs) and generating a IP-blocklist or domain-blocklist | https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/zeustracker.yml | |||||
80 | ✓ | Zone-H | http://www.zone-h.org/?zh=1 | Free | Zone-H is an archive of defaced websites. Once a defaced website is submitted to Zone-H, it is mirrored on the Zone-H servers, it is then moderated by the Zone-H staff to check if the defacement was fake. | ||||||
1 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||
3 | Name of the Service | URL | Cost | Function - What is checked? | Type | Data Source | Turing the List Into Action | RPZ Capable? | Notes | |
4 | IPVoid | http://www.ipvoid.com/ | Free | Scans IP Address Traces E-mail addresses Traces Name |