--- providers: ViriBack: Unsafe sites: description: Latest detected unsafe sites. additional_information: You need to install the lxml library in order to parse this feed. bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://tracker.viriback.com/ rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.html_table.parser parameters: columns: ["malware.name", "source.url", "source.ip", "time.source"] type: malware time_format: from_format_midnight|%d-%m-%Y html_parser: lxml revision: 2018-06-27 documentation: https://viriback.com/ public: yes WebInspektor: Unsafe sites: description: Latest detected unsafe sites. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://app.webinspector.com/public/recent_detections/ rate_limit: 60 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.webinspektor.parser parameters: revision: 2018-03-09 documentation: public: yes Sucuri: Hidden IFrames: description: Latest hidden iframes identified on compromised web sites. additional_information: Please note that the parser only extracts the hidden iframes and the conditional redirects, not the encoded javascript. bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://labs.sucuri.net/?malware rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.sucuri.parser parameters: revision: 2018-01-28 documentation: http://labs.sucuri.net/?malware public: yes Surbl: Malicious Domains: description: Detected malicious domains. Note that you have to opened up Sponsored Datafeed Service (SDS) access to the SURBL data via rsync for your IP address. additional_information: bots: collector: module: intelmq.bots.collectors.rsync.collector_rsync parameters: file: wild.surbl.org.rbldnsd rsync_path: blacksync.prolocation.net::surbl-wild/ parser: module: intelmq.bots.parsers.surbl.parser parameters: revision: 2018-09-04 documentation: public: no MalwarePatrol: DansGuardian: description: Malware block list with URLs additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.malwarepatrol.net/cgi/getfile?receipt={{ your API key }}&product=8&list=dansguardian rate_limit: 180000 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.malwarepatrol.parser_dansguardian parameters: revision: 2018-01-20 documentation: https://www.malwarepatrol.net/non-commercial/ public: no Malware Domains: Malicious: description: Malware Prevention through Domain Blocking (Black Hole DNS Sinkhole) additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://mirror1.malwaredomains.com/files/domains.txt rate_limit: 172800 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.malwaredomains.parser parameters: revision: 2018-01-20 documentation: http://www.malwaredomains.com/ public: yes ZoneH: Defacements: description: all the information contained in Zone-H's cybercrime archive were either collected online from public sources or directly notified anonymously to us. additional_information: bots: collector: module: intelmq.bots.collectors.mail.collector_mail_attach parameters: mail_host: __HOST__ mail_password: __PASSWORD__ mail_ssl: true mail_user: __USERNAME__ sent_from: datazh@zone-h.org folder: INBOX subject_regex: Report extract_files: false attach_regex: csv rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.zoneh.parser parameters: revision: 2018-01-20 documentation: https://zone-h.org/ public: no OpenPhish: Public feed: description: OpenPhish is a fully automated self-contained platform for phishing intelligence. It identifies phishing sites and performs intelligence analysis in real time without human intervention and without using any external resources, such as blacklists. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.openphish.com/feed.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.openphish.parser parameters: revision: 2018-01-20 documentation: https://www.openphish.com/ public: yes Premium Feed: description: OpenPhish is a fully automated self-contained platform for phishing intelligence. It identifies phishing sites and performs intelligence analysis in real time without human intervention and without using any external resources, such as blacklists. additional_information: Discounts available for Government and National CERTs a well as for Nonprofit and Not-for-Profit organizations. bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://openphish.com/prvt-intell/ http_password: "{{ your password}}" http_username: "{{ your username}}" rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.openphish.parser_commercial parameters: revision: 2018-02-06 documentation: https://www.openphish.com/phishing_feeds.html public: no Netlab 360: Mirai Scanner: description: 'This feed provides IP addresses which actively scan for vulnerable IoT devices and install Mirai Botnet.' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://data.netlab.360.com/feeds/mirai-scanner/scanner.list rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.netlab_360.parser parameters: revision: 2018-01-20 documentation: http://data.netlab.360.com/mirai-scanner/ public: yes Magnitude EK: description: 'This feed lists FQDN and possibly the URL used by Magnitude Exploit Kit. Information also includes the IP address used for the domain and last time seen.' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://data.netlab.360.com/feeds/ek/magnitude.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.netlab_360.parser parameters: revision: 2018-01-20 documentation: http://data.netlab.360.com/ek public: yes DGA: description: 'This feed lists DGA family, Domain, Start and end of valid time(UTC) of a number of DGA families.' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://data.netlab.360.com/feeds/dga/dga.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.netlab_360.parser parameters: revision: 2018-01-20 documentation: http://data.netlab.360.com/dga public: yes Hajime Scanner: description: 'This feed lists IP address for know Hajime bots network. These IPs data are obtained by joining the DHT network and interacting with the Hajime node' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://data.netlab.360.com/feeds/hajime-scanner/bot.list rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.netlab_360.parser parameters: revision: 2019-08-01 documentation: https://data.netlab.360.com/hajime/ public: yes Abuse.ch: Feodo Tracker IPs: description: 'List of botnet Command&Control servers (C&Cs) tracked by Feodo Tracker, associated with Dridex and Emotet (aka Heodo).' additional_information: https://feodotracker.abuse.ch/ The data in the column Last Online is used for `time.source` if available, with 00:00 as time. Otherwise first seen is used as `time.source`. bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://feodotracker.abuse.ch/downloads/ipblocklist.csv rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.abusech.parser_ip parameters: revision: 2019-03-25 documentation: https://feodotracker.abuse.ch/ public: yes URLhaus: description: URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. URLhaus offers a country, ASN (AS number) and Top Level Domain (TLD) feed for network operators / Internet Service Providers (ISPs), Computer Emergency Response Teams (CERTs) and domain registries. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://urlhaus.abuse.ch/feeds/tld//, https://urlhaus.abuse.ch/feeds/country//, or https://urlhaus.abuse.ch/feeds/asn// rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.generic.parser_csv parameters: skip_header: false default_url_protocol: http:// type_translation: '{"malware_download": "malware-distribution"}' delimiter: "," columns: - time.source - source.url - status - classification.type|__IGNORE__ - source.fqdn|__IGNORE__ - source.ip - source.asn - source.geolocation.cc revision: 2020-07-07 documentation: https://urlhaus.abuse.ch/feeds/ public: yes Feodo Tracker Browse: description: '' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://feodotracker.abuse.ch/browse rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.html_table.parser parameters: columns: "time.source,source.ip,malware.name,status,extra.SBL,source.as_name,source.geolocation.cc" ignore_values: ",,,,Not listed,," skip_table_head: True type: c2server revision: 2019-03-19 documentation: https://feodotracker.abuse.ch/browse public: yes Blueliv: CrimeServer: description: Blueliv Crimeserver Collector is the bot responsible to get the report through the API. additional_information: The service uses a different API for free users and paying subscribers. In 'CrimeServer' feed the difference lies in the data points present in the feed. The non-free API available from Blueliv contains, for this specific feed, following extra fields not present in the free API; "_id" - Internal unique ID "subType" - Subtype of the Crime Server "countryName" - Country name where the Crime Server is located, in English "city" - City where the Crime Server is located "domain" - Domain of the Crime Server "host" - Host of the Crime Server "createdAt" - Date when the Crime Server was added to Blueliv CrimeServer database "asnCidr" - Range of IPs that belong to an ISP (registered via Autonomous System Number (ASN)) "asnId" - Identifier of an ISP registered via ASN "asnDesc" Description of the ISP registered via ASN bots: collector: module: intelmq.bots.collectors.blueliv.collector_crimeserver parameters: rate_limit: 3600 api_key: __APIKEY__ name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blueliv.parser_crimeserver parameters: revision: 2018-01-20 documentation: https://www.blueliv.com/ public: no Team Cymru: CAP: description: Team Cymru provides daily lists of compromised or abused devices for the ASNs and/or netblocks with a CSIRT's jurisdiction. This includes such information as bot infected hosts, command and control systems, open resolvers, malware urls, phishing urls, and brute force attacks additional_information: | "Two feeds types are offered: * The new https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt * and the old https://www.cymru.com/$certname/infected_{time[%Y%m%d]}.txt Both formats are supported by the parser and the new one is recommended. As of 2019-09-12 the old format will be retired soon." bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_password: "{{your password}}" http_url_formatting: true http_url: https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt http_username: "{{your login}}" rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cymru.parser_cap_program parameters: revision: 2018-01-20 documentation: https://www.team-cymru.com/CSIRT-AP.html https://www.cymru.com/$certname/report_info.txt public: no Full Bogons IPv4: description: Fullbogons are a larger set which also includes IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user. IANA maintains a convenient IPv4 summary page listing allocated and reserved netblocks, and each RIR maintains a list of all prefixes that they have assigned to end-users. Our bogon reference pages include additional links and resources to assist those who wish to properly filter bogon prefixes within their networks. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cymru.parser_full_bogons parameters: revision: 2018-01-20 documentation: https://www.team-cymru.com/bogon-reference-http.html public: yes Full Bogons IPv6: description: Fullbogons are a larger set which also includes IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user. IANA maintains a convenient IPv4 summary page listing allocated and reserved netblocks, and each RIR maintains a list of all prefixes that they have assigned to end-users. Our bogon reference pages include additional links and resources to assist those who wish to properly filter bogon prefixes within their networks. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cymru.parser_full_bogons parameters: revision: 2018-01-20 documentation: https://www.team-cymru.com/bogon-reference-http.html public: yes Taichung: Netflow Recent: description: "Abnormal flows detected: Attacking (DoS, Brute-Force, Scanners) and malicious hosts (C&C servers, hosting malware)" additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.tc.edu.tw/net/netflow/lkout/recent/ rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.taichung.parser revision: 2018-01-20 documentation: https://www.tc.edu.tw/net/netflow/lkout/recent/ public: yes Dataplane: SSH Client Connection: description: Entries below consist of fields with identifying characteristics of a source IP address that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. The hosts may be SSH server cataloging or conducting authentication attack attempts. Report is updated hourly. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://dataplane.org/sshclient.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dataplane.parser parameters: revision: 2018-01-20 documentation: http://dataplane.org/ public: yes SSH Password Authentication: description: Entries below consist of fields with identifying characteristics of a source IP address that has been seen attempting to remotely login to a host using SSH password authentication. The report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. Report is updated hourly. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://dataplane.org/sshpwauth.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dataplane.parser parameters: revision: 2018-01-20 documentation: http://dataplane.org/ public: yes SIP Query: description: Entries consist of fields with identifying characteristics of a source IP address that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. The hosts may be SIP server cataloging or conducting various forms of telephony abuse. Report is updated hourly. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://dataplane.org/sipquery.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dataplane.parser parameters: revision: 2018-01-20 documentation: http://dataplane.org/ public: yes SIP Registration: description: Entries consist of fields with identifying characteristics of a source IP address that has been seen initiating a SIP REGISTER operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. The hosts may be SIP client cataloging or conducting various forms of telephony abuse. Report is updated hourly. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://dataplane.org/sipregistration.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dataplane.parser parameters: revision: 2018-01-20 documentation: http://dataplane.org/ public: yes Turris: Greylist: description: The data are processed and classified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. The list also contains a list of tags for each address which indicate what behaviour of the address was observed. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.turris.cz/greylist-data/greylist-latest.csv rate_limit: 43200 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.turris.parser parameters: revision: 2018-01-20 documentation: https://project.turris.cz/en/greylist public: yes Greylist with PGP signature verification: description: | The data are processed and classified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. The list also contains a list of tags for each address which indicate what behaviour of the address was observed. The Turris Greylist feed provides PGP signatures for the provided files. You will need to import the public PGP key from the linked documentation page, currently available at https://pgp.mit.edu/pks/lookup?op=vindex&search=0x10876666 or from below. See the URL Fetcher Collector documentation for more information on PGP signature verification. PGP Public key: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.6 Comment: Hostname: pgp.mit.edu mQINBFRl7D8BEADaRFoDa/+r27Gtqrdn8sZL4aSYTU4Q3gDr3TfigK8H26Un/Y79a/DUL1o0 o8SRae3uwVcjJDHZ6KDnxThbqF7URfpuCcCYxOs8p/eu3dSueqEGTODHWF4ChIh2japJDc4t 3FQHbIh2e3GHotVqJGhvxMmWqBFoZ/mlWvhjs99FFBZ87qbUNk7l1UAGEXeWeECgz9nGox40 3YpCgEsnJJsKC53y5LD/wBf4z+z0GsLg2GMRejmPRgrkSE/d9VjF/+niifAj2ZVFoINSVjjI 8wQFc8qLiExdzwLdgc+ggdzk5scY3ugI5IBt1zflxMIOG4BxKj/5IWsnhKMG2NLVGUYOODoG pKhcY0gCHypw1bmkp2m+BDVyg4KM2fFPgQ554DAX3xdukMCzzZyBxR3UdT4dN7xRVhpph3Y2 Amh1E/dpde9uwKFk1oRHkRZ3UT1XtpbXtFNY0wCiGXPt6KznJAJcomYFkeLHjJo3nMK0hISV GSNetVLfNWlTkeo93E1innbSaDEN70H4jPivjdVjSrLtIGfr2IudUJI84dGmvMxssWuM2qdg FSzoTHw9UE9KT3SltKPS+F7u9x3h1J492YaVDncATRjPZUBDhbvo6Pcezhup7XTnI3gbRQc2 oEUDb933nwuobHm3VsUcf9686v6j8TYehsbjk+zdA4BoS/IdCwARAQABtC5UdXJyaXMgR3Jl eWxpc3QgR2VuZXJhdG9yIDxncmV5bGlzdEB0dXJyaXMuY3o+iQI4BBMBAgAiBQJUZew/AhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDAQrU3EIdmZoH4D/9Jo6j9RZxCAPTaQ9WZ WOdb1Eqd/206bObEX+xJAago+8vuy+waatHYBM9/+yxh0SIg2g5whd6J7A++7ePpt5XzX6hq bzdG8qGtsCRu+CpDJ40UwHep79Ck6O/A9KbZcZW1z/DhbYT3z/ZVWALy4RtgmyC67Vr+j/C7 KNQ529bs3kP9AzvEIeBC4wdKl8dUSuZIPFbgf565zRNKLtHVgVhiuDPcxKmBEl4/PLYF30a9 5Tgp8/PNa2qp1DV/EZjcsxvSRIZB3InGBvdKdSzvs4N/wLnKWedj1GGm7tJhSkJa4MLBSOIx yamhTS/3A5Cd1qoDhLkp7DGVXSdgEtpoZDC0jR7nTS6pXojcgQaF7SfJ3cjZaLI5rjsx0YLk G4PzonQKCAAQG1G9haCDniD8NrrkZ3eFiafoKEECRFETIG0BJHjPdSWcK9jtNCupBYb7JCiz Q0hwLh2wrw/wCutQezD8XfsBFFIQC18TsJAVgdHLZnGYkd5dIbV/1scOcm52w6EGIeMBBYlB J2+JNukH5sJDA6zAXNl2I1H1eZsP4+FSNIfB6LdovHVPAjn7qXCw3+IonnQK8+g8YJkbbhKJ sPejfg+ndpe5u0zX+GvQCFBFu03muANA0Y/OOeGIQwU93d/akN0P1SRfq+bDXnkRIJQOD6XV 0ZPKVXlNOjy/z2iN2A== =wjkM -----END PGP PUBLIC KEY BLOCK----- ``` additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.turris.cz/greylist-data/greylist-latest.csv name: Greylist provider: __PROVIDER__ rate_limit: 43200 signature_url: https://www.turris.cz/greylist-data/greylist-latest.csv.asc verify_pgp_signatures: false parser: module: intelmq.bots.parsers.turris.parser parameters: revision: 2018-01-20 documentation: https://project.turris.cz/en/greylist public: yes University of Toulouse: Blacklist: description: Various blacklist feeds additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://dsi.ut-capitole.fr/blacklists/download/{collection name}.tar.gz extract_files: 'true' rate_limit: 43200 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.generic.parser_csv parameters: type: "{depends on a collection}" delimiter: 'false' columns: "{depends on a collection}" revision: 2018-01-20 documentation: https://dsi.ut-capitole.fr/blacklists/ public: yes Autoshun: Shunlist: description: You need to register in order to use the list. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.autoshun.org/download/?api_key=__APIKEY__&format=html rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.autoshun.parser parameters: revision: 2018-01-20 documentation: https://www.autoshun.org/ public: no Danger Rulez: Bruteforce Blocker: description: Its main purpose is to block SSH bruteforce attacks via firewall. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://danger.rulez.sk/projects/bruteforceblocker/blist.php rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.danger_rulez.parser parameters: revision: 2018-01-20 documentation: http://danger.rulez.sk/index.php/bruteforceblocker/ public: yes Spamhaus: Drop: description: The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell". DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.spamhaus.org/drop/drop.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.spamhaus.parser_drop parameters: revision: 2018-01-20 documentation: https://www.spamhaus.org/drop/ public: yes ASN Drop: description: ASN-DROP contains a list of Autonomous System Numbers controlled by spammers or cyber criminals, as well as "hijacked" ASNs. ASN-DROP can be used to filter BGP routes which are being used for malicious purposes. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.spamhaus.org/drop/asndrop.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.spamhaus.parser_drop parameters: revision: 2018-01-20 documentation: https://www.spamhaus.org/drop/ public: yes Dropv6: description: The DROPv6 list includes IPv6 ranges allocated to spammers or cyber criminals. DROPv6 will only include IPv6 netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.spamhaus.org/drop/dropv6.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.spamhaus.parser_drop parameters: revision: 2018-01-20 documentation: https://www.spamhaus.org/drop/ public: yes CERT: description: Spamhaus CERT Insight Portal. Access limited to CERTs and CSIRTs with national or regional responsibility. . additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: "{{ your CERT portal URL }}" rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.spamhaus.parser_cert parameters: revision: 2018-01-20 documentation: https://www.spamhaus.org/news/article/705/spamhaus-launches-cert-insight-portal public: no EDrop: description: EDROP is an extension of the DROP list that includes sub-allocated netblocks controlled by spammers or cyber criminals. EDROP is meant to be used in addition to the direct allocations on the DROP list. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.spamhaus.org/drop/edrop.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.spamhaus.parser_drop parameters: revision: 2018-01-20 documentation: https://www.spamhaus.org/drop/ public: yes PhishTank: Online: description: PhishTank is a collaborative clearing house for data and information about phishing on the Internet. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://data.phishtank.com/data/{{ your API key }}/online-valid.csv rate_limit: 28800 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.phishtank.parser parameters: revision: 2018-01-20 documentation: https://www.phishtank.com/developer_info.php public: no CINSscore: Army List: description: 'The CINS Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet one of two basic criteria: 1) The IP''s recent Rogue Packet score factor is very poor, or 2) The IP has tripped a designated number of ''trusted'' alerts across a given number of our Sentinels deployed around the world.' additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://cinsscore.com/list/ci-badguys.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.ci_army.parser parameters: revision: 2018-01-20 documentation: https://cinsscore.com/#list public: yes Blocklist.de: IRC Bots: description: No description provided by feed provider. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/ircbot.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes Strong IPs: description: Blocklist.DE Strong IPs Collector is the bot responsible to get the report from source of information. All IPs which are older then 2 month and have more then 5.000 attacks. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/strongips.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes Mail: description: Blocklist.DE Mail Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/mail.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes Apache: description: Blocklist.DE Apache Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/apache.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes FTP: description: Blocklist.DE FTP Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/ftp.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes SSH: description: Blocklist.DE SSH Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/ssh.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes Brute-force Logins: description: Blocklist.DE Brute-force Login Collector is the bot responsible to get the report from source of information. All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/bruteforcelogin.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes Bots: description: Blocklist.DE Bots Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki). additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/bots.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes IMAP: description: Blocklist.DE IMAP Collector is the bot responsible to get the report from source of information. All IP addresses which have been reported within the last 48 hours for attacks on the service like IMAP, SASL, POP3, etc. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/imap.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes SIP: description: Blocklist.DE SIP Collector is the bot responsible to get the report from source of information. All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter). additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://lists.blocklist.de/lists/sip.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.blocklistde.parser parameters: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes CERT-Bund: CB-Report Malware infections via IMAP: description: CERT-Bund sends reports for the malware-infected hosts. additional_information: Traffic from malware related hosts contacting command-and-control servers is caught and sent to national CERT teams. There are two e-mail feeds with identical CSV structure -- one reports on general malware infections, the other on the Avalanche botnet. bots: collector: module: intelmq.bots.collectors.mail.collector_mail_attach parameters: mail_host: __HOST__ mail_password: __PASSWORD__ mail_ssl: true mail_user: __USERNAME__ attach_regex: events.csv extract_files: false rate_limit: 86400 subject_regex: ^\\[CB-Report#.* Malware infections (\\(Avalanche\\) )?in country folder: INBOX name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.generic.parser_csv parameters: skip_header: true default_url_protocol: http:// time_format: from_format|%Y-%m-%d %H:%M:%S delimiter: "," columns: - source.asn - source.ip - time.source - classification.type - malware.name - source.port - destination.ip - destination.port - destination.fqdn - protocol.transport type: infected-system revision: 2020-08-20 documentation: public: no CERT.PL: N6 Stomp Stream: description: N6 Collector - CERT.pl's N6 Collector - N6 feed via STOMP interface. Note that rate_limit does not apply for this bot as it is waiting for messages on a stream. additional_information: Contact cert.pl to get access to the feed. bots: collector: module: intelmq.bots.collectors.stomp.collector parameters: exchange: "{insert your exchange point as given by CERT.pl}" ssl_client_certificate_key: "{insert path to client cert key file for CERT.pl's n6}" ssl_ca_certificate: "{insert path to CA file for CERT.pl's n6}" port: '61614' ssl_client_certificate: "{insert path to client cert file for CERTpl's n6}" server: n6stream.cert.pl name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.n6.parser_n6stomp parameters: revision: 2018-01-20 documentation: https://n6.cert.pl/en/ public: no AlienVault: OTX: description: AlienVault OTX Collector is the bot responsible to get the report through the API. Report could vary according to subscriptions. additional_information: bots: collector: module: intelmq.bots.collectors.alienvault_otx.collector parameters: api_key: "{{ your API key }}" name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.alienvault.parser_otx parameters: revision: 2018-01-20 documentation: https://otx.alienvault.com/ public: no Reputation List: description: List of malicious IPs. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://reputation.alienvault.com/reputation.data rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.alienvault.parser parameters: revision: 2018-01-20 documentation: public: yes CleanMX: Virus: description: In order to download the CleanMX feed you need to use a custom user agent and register that user agent. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&domain= http_timeout_sec: 120 http_user_agent: "{{ your user agent }}" rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cleanmx.parser parameters: revision: 2018-01-20 documentation: http://clean-mx.de/ public: no Phishing: description: In order to download the CleanMX feed you need to use a custom user agent and register that user agent. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&domain= http_timeout_sec: 120 http_user_agent: "{{ your user agent }}" rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cleanmx.parser parameters: revision: 2018-01-20 documentation: http://clean-mx.de/ public: no AnubisNetworks: Cyberfeed Stream: description: Fetches and parsers the Cyberfeed data stream. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http_stream parameters: http_url: https://prod.cyberfeed.net/stream?key={{ your API key }} strip_lines: 'true' name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.anubisnetworks.parser parameters: use_malware_familiy_as_classification_identifier: true revision: 2020-06-15 documentation: https://www.anubisnetworks.com/ https://www.bitsight.com/ public: no Bambenek: C2 Domains: description: 'Master Feed of known, active and non-sinkholed C&Cs domain names. Requires access credentials.' additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://faf.bambenekconsulting.com/feeds/c2-dommasterlist.txt http_username: __USERNAME__ http_password: __PASSWORD__ rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.bambenek.parser parameters: revision: 2018-01-20 documentation: https://osint.bambenekconsulting.com/feeds/ public: no C2 IPs: description: 'Master Feed of known, active and non-sinkholed C&Cs IP addresses. Requires access credentials.' additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://faf.bambenekconsulting.com/feeds/c2-ipmasterlist.txt http_username: __USERNAME__ http_password: __PASSWORD__ rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.bambenek.parser parameters: revision: 2018-01-20 documentation: https://osint.bambenekconsulting.com/feeds/ public: no DGA Domains: description: Domain feed of known DGA domains from -2 to +3 days additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://faf.bambenekconsulting.com/feeds/dga-feed.txt rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.bambenek.parser parameters: revision: 2018-01-20 documentation: https://osint.bambenekconsulting.com/feeds/ public: yes cAPTure: Ponmocup Domains CIF Format: description: List of ponmocup malware redirection domains and infected web-servers from cAPTure. See also http://security-research.dyndns.org/pub/botnet-links.htm and http://c-apt-ure.blogspot.com/search/label/ponmocup The data in the CIF format is not equal to the Shadowserver CSV format. Reasons are unknown. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt rate_limit: 10800 name: Infected Domains provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dyn.parser parameters: revision: 2018-01-20 documentation: http://security-research.dyndns.org/pub/malware-feeds/ public: yes Ponmocup Domains Shadowserver Format: description: List of ponmocup malware redirection domains and infected web-servers from cAPTure. See also http://security-research.dyndns.org/pub/botnet-links.htm and http://c-apt-ure.blogspot.com/search/label/ponmocup The data in the Shadowserver CSV is not equal to the CIF format format. Reasons are unknown. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-shadowserver.csv rate_limit: 10800 name: Infected Domains provider: __PROVIDER__ parser: module: intelmq.bots.parsers.generic.parser_csv parameters: columns: - time.source - source.ip - source.fqdn - source.urlpath - source.port - protocol.application - extra.tag - extra.redirect_target - extra.category compose_fields: {"source.url": "http://{0}{1}"} skip_header: true delimiter: "," type: malware-distribution revision: 2020-07-08 documentation: http://security-research.dyndns.org/pub/malware-feeds/ public: yes DShield: Suspicious Domains: description: There are many suspicious domains on the internet. In an effort to identify them, as well as false positives, we have assembled weighted lists based on tracking and malware lists from different sources. ISC is collecting and categorizing various lists associated with a certain level of sensitivity. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.dshield.org/feeds/suspiciousdomains_High.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dshield.parser_domain parameters: revision: 2018-01-20 documentation: https://www.dshield.org/reports.html public: yes Block: description: This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of 'attacks' indicates the number of targets reporting scans from this subnet. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.dshield.org/block.txt rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dshield.parser_block parameters: revision: 2018-01-20 documentation: https://www.dshield.org/reports.html public: yes AS Details: description: No description provided by feed provider. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://dshield.org/asdetailsascii.html?as={{ AS Number }} rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dshield.parser_asn parameters: revision: 2018-01-20 documentation: https://www.dshield.org/reports.html public: yes VXVault: URLs: description: This feed provides IP addresses hosting Malware. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: http://vxvault.net/URL_List.php rate_limit: 3600 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.vxvault.parser parameters: revision: 2018-01-20 documentation: http://vxvault.net/ViriList.php public: yes Shadowserver: Via IMAP: description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). additional_information: The configuration retrieves the data from a e-mails via IMAP from the attachments. bots: collector: module: intelmq.bots.collectors.mail.collector_mail_attach parameters: mail_host: __HOST__ mail_password: __PASSWORD__ mail_ssl: true mail_user: __USERNAME__ attach_regex: csv.zip extract_files: true rate_limit: 86400 subject_regex: __REGEX__ folder: INBOX name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.shadowserver.parser parameters: revision: 2018-01-20 documentation: https://www.shadowserver.org/what-we-do/network-reporting/ public: no Via Request Tracker: description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). additional_information: The configuration retrieves the data from a RT/RTIR ticketing instance via the attachment or an download. bots: collector: module: intelmq.bots.collectors.rt.collector_rt parameters: attachment_regex: \\.csv\\.zip$ extract_attachment: true extract_download: false http_password: "{{ your HTTP Authentication password or null }}" http_username: "{{ your HTTP Authentication username or null }}" password: __PASSWORD__ provider: __PROVIDER__ rate_limit: 3600 search_not_older_than: "{{ relative time or null }}" search_owner: nobody search_queue: Incident Reports search_requestor: autoreports@shadowserver.org search_status: new search_subject_like: \[__COUNTRY__\] Shadowserver __COUNTRY__ set_status: open take_ticket: true uri: http://localhost/rt/REST/1.0 url_regex: https://dl.shadowserver.org/[a-zA-Z0-9?_-]* user: __USERNAME__ parser: module: intelmq.bots.parsers.shadowserver.parser parameters: revision: 2018-01-20 documentation: https://www.shadowserver.org/what-we-do/network-reporting/ public: no Via API: description: Shadowserver sends out a variety of reports to subscribers, see documentation. additional_information: This configuration fetches user-configurable reports from the Shadowserver Reports API. For a list of reports, have a look at the Shadowserver collector and parser documentation. bots: collector: module: intelmq.bots.collectors.shadowserver.collector_reports_api parameters: country: api_key: secret: types: rate_limit: 86400 redis_cache_db: 12 redis_cache_host: 127.0.0.1 redis_cache_port: 6379 redis_cache_ttl: 864000 parser: module: intelmq.bots.parsers.shadowserver.parser_json parameters: revision: 2020-01-08 documentation: https://www.shadowserver.org/what-we-do/network-reporting/api-documentation/ public: no Fraunhofer: DGA Archive: description: Fraunhofer DGA collector fetches data from Fraunhofer's domain generation archive. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://dgarchive.caad.fkie.fraunhofer.de/today http_password: "{{ your password}}" http_username: "{{ your username}}" rate_limit: 10800 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.fraunhofer.parser_dga parameters: revision: 2018-01-20 documentation: https://dgarchive.caad.fkie.fraunhofer.de/welcome/ public: no MalwareURL: Latest malicious activity: description: Latest malicious domains/IPs. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.malwareurl.com/ rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.malwareurl.parser parameters: revision: 2018-02-05 documentation: https://www.malwareurl.com/ public: yes Microsoft: BingMURLs via Interflow: description: Collects Malicious URLs detected by Bing from the Interflow API. The feed is available via Microsoft’s Government Security Program (GSP). additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. bots: collector: module: intelmq.bots.collectors.microsoft.collector_interflow parameters: api_key: "{{your API key}}" file_match: "^bingmurls_" not_older_than: "2 days" rate_limit: 3600 http_timeout_sec: 300 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.microsoft.parser_bingmurls parameters: revision: 2018-05-29 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no CTIP via Interflow: description: Collects the CTIP Infected feed (Sinkhole data for your country) files from the Interflow API.The feed is available via Microsoft’s Government Security Program (GSP). additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. As many IPs occur very often in the data, you may want to use a deduplicator specifically for the feed. bots: collector: module: intelmq.bots.collectors.microsoft.collector_interflow parameters: api_key: "{{your API key}}" file_match: "^ctip_" not_older_than: "2 days" rate_limit: 3600 http_timeout_sec: 300 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.microsoft.parser_ctip parameters: revision: 2018-03-06 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no CTIP Infected via Azure: description: Collects the CTIP (Sinkhole data) from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information. bots: collector: module: intelmq.bots.collectors.microsoft.collector_azure parameters: connection_string: "{{your connection string}}" container_name: "ctip-infected-summary" name: __FEED__ provider: __PROVIDER__ rate_limit: 3600 redis_cache_db: 5 redis_cache_host: 127.0.0.1 redis_cache_port: 6379 redis_cache_ttl: 864000 parser: module: intelmq.bots.parsers.microsoft.parser_ctip parameters: revision: 2020-05-29 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no CTIP C2 via Azure: description: Collects the CTIP C2 feed from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information. bots: collector: module: intelmq.bots.collectors.microsoft.collector_azure parameters: connection_string: "{{your connection string}}" container_name: "ctip-c2" name: __FEED__ provider: __PROVIDER__ rate_limit: 3600 redis_cache_db: 5 redis_cache_host: 127.0.0.1 redis_cache_port: 6379 redis_cache_ttl: 864000 parser: module: intelmq.bots.parsers.microsoft.parser_ctip parameters: revision: 2020-05-29 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no Threatminer: Recent domains: description: Latest malicious domains. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.threatminer.org/ rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.threatminer.parser parameters: revision: 2018-02-06 documentation: https://www.threatminer.org/ public: yes Calidog: CertStream: description: HTTP Websocket Stream from certstream.calidog.io providing data from Certificate Transparency Logs. additional_information: Be aware that this feed provides a lot of data and may overload your system quickly. bots: collector: module: intelmq.bots.collectors.calidog.collector_certstream parameters: name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.calidog.parser_certstream parameters: revision: 2018-06-15 documentation: https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067 public: yes McAfee Advanced Threat Defense: Sandbox Reports: description: Processes reports from McAfee's sandboxing solution via the openDXL API. additional_information: bots: collector: module: intelmq.bots.collectors.opendxl.collector parameters: dxl_config_file: "{{location of dxl configuration file}}" dxl_topic: "/mcafee/event/atd/file/report" parser: module: intelmq.bots.parsers.mcafee.parser_atd parameters: verdict_severity: 4 revision: 2018-07-05 documentation: https://www.mcafee.com/enterprise/en-us/products/advanced-threat-defense.html public: no CyberCrime Tracker: Latest: description: C2 servers additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://cybercrime-tracker.net/index.php rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.html_table.parser parameters: columns: ["time.source", "source.url", "source.ip", "malware.name", "__IGNORE__"] skip_table_head: true default_url_protocol: http:// type: c2server revision: 2019-03-19 documentation: https://cybercrime-tracker.net/index.php public: yes PrecisionSec: Agent Tesla: description: Agent Tesla IoCs, URLs where the malware is hosted. additional_information: bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/ rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.html_table.parser parameters: columns: ["source.ip|source.url", "time.source"] skip_table_head: true default_url_protocol: http:// type: malware revision: 2019-04-02 documentation: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/ public: yes Have I Been Pwned: Enterprise Callback: description: With the Enterprise Subscription of 'Have I Been Pwned' you are able to provide a callback URL and any new leak data is submitted to it. It is recommended to put a webserver with Authorization check, TLS etc. in front of the API collector. additional_information: | "A minimal nginx configuration could look like: ``` server { listen 443 ssl http2; server_name [your host name]; client_max_body_size 50M; ssl_certificate [path to your key]; ssl_certificate_key [path to your certificate]; location /[your private url] { if ($http_authorization != '[your private password]') { return 403; } proxy_pass http://localhost:5001/intelmq/push; proxy_read_timeout 30; proxy_connect_timeout 30; } } ``` " bots: collector: module: intelmq.bots.collectors.api.collector_api parameters: port: 5001 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.hibp.parser_callback parameters: revision: 2019-09-11 documentation: https://haveibeenpwned.com/EnterpriseSubscriber/ public: no Strangereal Intel: DailyIOC: description: Daily IOC from tweets and articles additional_information: | collector's `extra_fields` parameter may be any of fields from the github `content API response `_ bots: collector: module: intelmq.bots.collectors.github_api.collector_github_contents_api parameters: basic_auth_username: USERNAME basic_auth_password: PASSWORD repository: StrangerealIntel/DailyIOC regex: .*.json parser: module: intelmq.bots.parsers.github_feed parameters: revision: 2019-12-05 documentation: https://github.com/StrangerealIntel/DailyIOC public: yes CZ.NIC: HaaS: description: SSH attackers against HaaS (Honeypot as a Service) provided by CZ.NIC, z.s.p.o. The dump is published once a day. bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: extract_files: true http_url: https://haas.nic.cz/stats/export/{time[%Y/%m/%Y-%m-%d]}.json.gz http_url_formatting: days: -1 rate_limit: 86400 parser: module: intelmq.bots.parsers.cznic.parser_haas parameters: revision: 2020-07-22 documentation: https://haas.nic.cz/ public: yes Proki: description: Aggregation of various sources on malicious IP addresses (malware spreaders or C&C servers). bots: collector: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://proki.csirt.cz/api/1/__APIKEY__/data/day/{time[%Y/%m/%d]} http_url_formatting: days: -1 rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.cznic.parser_proki parameters: revision: 2020-08-17 documentation: https://csirt.cz/en/proki/ public: no ESET: ETI Domains: description: Domain data from ESET's TAXII API. additional_information: bots: collector: module: intelmq.bots.collectors.eset.collector parameters: username: password: endpoint: eti.eset.com time_delta: 3600 collection: ei.domains v2 (json) parser: module: intelmq.bots.parsers.eset.parser parameters: revision: 2020-06-30 documentation: https://www.eset.com/int/business/services/threat-intelligence/ public: no ETI URLs: description: URL data from ESET's TAXII API. additional_information: bots: collector: module: intelmq.bots.collectors.eset.collector parameters: username: password: endpoint: eti.eset.com time_delta: 3600 collection: ei.urls (json) parser: module: intelmq.bots.parsers.eset.parser parameters: revision: 2020-06-30 documentation: https://www.eset.com/int/business/services/threat-intelligence/ public: no Shodan: Country Stream: description: Collects the Shodan stream for one or multiple countries from the Shodan API. additional_information: A Shodan account with streaming permissions is needed. bots: collector: module: intelmq.bots.collectors.shodan.collector_stream parameters: api_key: countries: error_retry_delay: 0 name: __FEED__ provider: __PROVIDER__ parser: module: intelmq.bots.parsers.shodan.parser parameters: ignore_errors: false error_retry_delay: 0 minimal_mode: false revision: 2021-03-22 documentation: https://developer.shodan.io/api/stream public: no