CSEC_PUBLIC/intelmq-docker
1
0
Fork 0
mirror of https://github.com/certat/intelmq-docker.git synced 2025-12-06 09:12:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c8d43a993bc43b0666e594c69522d28c7890787d
intelmq-docker/example_config/intelmq/etc/feeds.yaml
Sebastian Waldbauer 1cf11ba674 MAINT: IntelMQ 2.3.1 REL configs 
Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>
2021-04-27 10:15:40 +02:00

1879 lines
73 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
providers:
ViriBack:
Unsafe sites:
description: Latest detected unsafe sites.
additional_information: You need to install the lxml library in order to parse this feed.
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://tracker.viriback.com/
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.html_table.parser
parameters:
columns: ["malware.name", "source.url", "source.ip", "time.source"]
type: malware
time_format: from_format_midnight|%d-%m-%Y
html_parser: lxml
revision: 2018-06-27
documentation: https://viriback.com/
public: yes
WebInspektor:
Unsafe sites:
description: Latest detected unsafe sites.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://app.webinspector.com/public/recent_detections/
rate_limit: 60
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.webinspektor.parser
parameters:
revision: 2018-03-09
documentation:
public: yes
Sucuri:
Hidden IFrames:
description: Latest hidden iframes identified on compromised web sites.
additional_information: Please note that the parser only extracts the hidden iframes and the conditional redirects, not the encoded javascript.
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://labs.sucuri.net/?malware
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.sucuri.parser
parameters:
revision: 2018-01-28
documentation: http://labs.sucuri.net/?malware
public: yes
Surbl:
Malicious Domains:
description: Detected malicious domains. Note that you have to opened up Sponsored Datafeed Service (SDS) access to the SURBL data via rsync for your IP address.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.rsync.collector_rsync
parameters:
file: wild.surbl.org.rbldnsd
rsync_path: blacksync.prolocation.net::surbl-wild/
parser:
module: intelmq.bots.parsers.surbl.parser
parameters:
revision: 2018-09-04
documentation:
public: no
MalwarePatrol:
DansGuardian:
description: Malware block list with URLs
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.malwarepatrol.net/cgi/getfile?receipt={{ your API key }}&product=8&list=dansguardian
rate_limit: 180000
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malwarepatrol.parser_dansguardian
parameters:
revision: 2018-01-20
documentation: https://www.malwarepatrol.net/non-commercial/
public: no
Malware Domains:
Malicious:
description: Malware Prevention through Domain Blocking (Black Hole DNS Sinkhole)
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://mirror1.malwaredomains.com/files/domains.txt
rate_limit: 172800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malwaredomains.parser
parameters:
revision: 2018-01-20
documentation: http://www.malwaredomains.com/
public: yes
ZoneH:
Defacements:
description: all the information contained in Zone-H's cybercrime archive were
either collected online from public sources or directly notified anonymously
to us.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.mail.collector_mail_attach
parameters:
mail_host: __HOST__
mail_password: __PASSWORD__
mail_ssl: true
mail_user: __USERNAME__
sent_from: datazh@zone-h.org
folder: INBOX
subject_regex: Report
extract_files: false
attach_regex: csv
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.zoneh.parser
parameters:
revision: 2018-01-20
documentation: https://zone-h.org/
public: no
OpenPhish:
Public feed:
description: OpenPhish is a fully automated self-contained platform for phishing
intelligence. It identifies phishing sites and performs intelligence analysis
in real time without human intervention and without using any external resources,
such as blacklists.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.openphish.com/feed.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.openphish.parser
parameters:
revision: 2018-01-20
documentation: https://www.openphish.com/
public: yes
Premium Feed:
description: OpenPhish is a fully automated self-contained platform for phishing
intelligence. It identifies phishing sites and performs intelligence analysis
in real time without human intervention and without using any external resources,
such as blacklists.
additional_information: Discounts available for Government and National CERTs a well as for Nonprofit and Not-for-Profit organizations.
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://openphish.com/prvt-intell/
http_password: "{{ your password}}"
http_username: "{{ your username}}"
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.openphish.parser_commercial
parameters:
revision: 2018-02-06
documentation: https://www.openphish.com/phishing_feeds.html
public: no
Netlab 360:
Mirai Scanner:
description: 'This feed provides IP addresses which actively scan for vulnerable
IoT devices and install Mirai Botnet.'
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.netlab_360.parser
parameters:
revision: 2018-01-20
documentation: http://data.netlab.360.com/mirai-scanner/
public: yes
Magnitude EK:
description: 'This feed lists FQDN and possibly the URL used by Magnitude Exploit
Kit. Information also includes the IP address used for the domain and last
time seen.'
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://data.netlab.360.com/feeds/ek/magnitude.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.netlab_360.parser
parameters:
revision: 2018-01-20
documentation: http://data.netlab.360.com/ek
public: yes
DGA:
description: 'This feed lists DGA family, Domain, Start and end of valid time(UTC)
of a number of DGA families.'
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://data.netlab.360.com/feeds/dga/dga.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.netlab_360.parser
parameters:
revision: 2018-01-20
documentation: http://data.netlab.360.com/dga
public: yes
Hajime Scanner:
description: 'This feed lists IP address for know Hajime bots network. These IPs data are obtained by joining the DHT network and interacting with the Hajime node'
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://data.netlab.360.com/feeds/hajime-scanner/bot.list
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.netlab_360.parser
parameters:
revision: 2019-08-01
documentation: https://data.netlab.360.com/hajime/
public: yes
Abuse.ch:
Feodo Tracker IPs:
description: 'List of botnet Command&Control servers (C&Cs) tracked by Feodo Tracker,
associated with Dridex and Emotet (aka Heodo).'
additional_information: https://feodotracker.abuse.ch/
The data in the column Last Online is used for `time.source` if available, with 00:00 as time. Otherwise first seen is used as `time.source`.
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://feodotracker.abuse.ch/downloads/ipblocklist.csv
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.abusech.parser_ip
parameters:
revision: 2019-03-25
documentation: https://feodotracker.abuse.ch/
public: yes
URLhaus:
description: URLhaus is a project from abuse.ch with the goal of sharing malicious
URLs that are being used for malware distribution. URLhaus offers a country, ASN
(AS number) and Top Level Domain (TLD) feed for network operators / Internet Service
Providers (ISPs), Computer Emergency Response Teams (CERTs) and domain registries.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://urlhaus.abuse.ch/feeds/tld/<TLD>/,
https://urlhaus.abuse.ch/feeds/country/<CC>/, or
https://urlhaus.abuse.ch/feeds/asn/<ASN>/
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.generic.parser_csv
parameters:
skip_header: false
default_url_protocol: http://
type_translation: '{"malware_download": "malware-distribution"}'
delimiter: ","
columns:
- time.source
- source.url
- status
- classification.type|__IGNORE__
- source.fqdn|__IGNORE__
- source.ip
- source.asn
- source.geolocation.cc
revision: 2020-07-07
documentation: https://urlhaus.abuse.ch/feeds/
public: yes
Feodo Tracker Browse:
description: ''
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://feodotracker.abuse.ch/browse
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.html_table.parser
parameters:
columns: "time.source,source.ip,malware.name,status,extra.SBL,source.as_name,source.geolocation.cc"
ignore_values: ",,,,Not listed,,"
skip_table_head: True
type: c2server
revision: 2019-03-19
documentation: https://feodotracker.abuse.ch/browse
public: yes
Blueliv:
CrimeServer:
description: Blueliv Crimeserver Collector is the bot responsible to get the
report through the API.
additional_information:
The service uses a different API for free users and paying subscribers. In 'CrimeServer'
feed the difference lies in the data points present in the feed. The non-free API
available from Blueliv contains, for this specific feed, following extra fields not
present in the free API;
"_id" - Internal unique ID
"subType" - Subtype of the Crime Server
"countryName" - Country name where the Crime Server is located, in English
"city" - City where the Crime Server is located
"domain" - Domain of the Crime Server
"host" - Host of the Crime Server
"createdAt" - Date when the Crime Server was added to Blueliv CrimeServer database
"asnCidr" - Range of IPs that belong to an ISP (registered via Autonomous System Number (ASN))
"asnId" - Identifier of an ISP registered via ASN
"asnDesc" Description of the ISP registered via ASN
bots:
collector:
module: intelmq.bots.collectors.blueliv.collector_crimeserver
parameters:
rate_limit: 3600
api_key: __APIKEY__
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blueliv.parser_crimeserver
parameters:
revision: 2018-01-20
documentation: https://www.blueliv.com/
public: no
Team Cymru:
CAP:
description: Team Cymru provides daily lists of compromised or abused devices
for the ASNs and/or netblocks with a CSIRT's jurisdiction. This includes such
information as bot infected hosts, command and control systems, open resolvers,
malware urls, phishing urls, and brute force attacks
additional_information: |
"Two feeds types are offered:
* The new https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt
* and the old https://www.cymru.com/$certname/infected_{time[%Y%m%d]}.txt
Both formats are supported by the parser and the new one is recommended.
As of 2019-09-12 the old format will be retired soon."
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_password: "{{your password}}"
http_url_formatting: true
http_url: https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt
http_username: "{{your login}}"
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cymru.parser_cap_program
parameters:
revision: 2018-01-20
documentation: https://www.team-cymru.com/CSIRT-AP.html https://www.cymru.com/$certname/report_info.txt
public: no
Full Bogons IPv4:
description: Fullbogons are a larger set which also includes IP space that has
been allocated to an RIR, but not assigned by that RIR to an actual ISP or
other end-user. IANA maintains a convenient IPv4 summary page listing allocated
and reserved netblocks, and each RIR maintains a list of all prefixes that
they have assigned to end-users. Our bogon reference pages include additional
links and resources to assist those who wish to properly filter bogon prefixes
within their networks.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cymru.parser_full_bogons
parameters:
revision: 2018-01-20
documentation: https://www.team-cymru.com/bogon-reference-http.html
public: yes
Full Bogons IPv6:
description: Fullbogons are a larger set which also includes IP space that has
been allocated to an RIR, but not assigned by that RIR to an actual ISP or
other end-user. IANA maintains a convenient IPv4 summary page listing allocated
and reserved netblocks, and each RIR maintains a list of all prefixes that
they have assigned to end-users. Our bogon reference pages include additional
links and resources to assist those who wish to properly filter bogon prefixes
within their networks.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cymru.parser_full_bogons
parameters:
revision: 2018-01-20
documentation: https://www.team-cymru.com/bogon-reference-http.html
public: yes
Taichung:
Netflow Recent:
description: "Abnormal flows detected: Attacking (DoS, Brute-Force, Scanners) and malicious hosts (C&C servers, hosting malware)"
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.tc.edu.tw/net/netflow/lkout/recent/
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.taichung.parser
revision: 2018-01-20
documentation: https://www.tc.edu.tw/net/netflow/lkout/recent/
public: yes
Dataplane:
SSH Client Connection:
description: Entries below consist of fields with identifying characteristics
of a source IP address that has been seen initiating an SSH connection to
a remote host. This report lists hosts that are suspicious of more than just
port scanning. The hosts may be SSH server cataloging or conducting authentication
attack attempts. Report is updated hourly.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://dataplane.org/sshclient.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dataplane.parser
parameters:
revision: 2018-01-20
documentation: http://dataplane.org/
public: yes
SSH Password Authentication:
description: Entries below consist of fields with identifying characteristics
of a source IP address that has been seen attempting to remotely login to
a host using SSH password authentication. The report lists hosts that are
highly suspicious and are likely conducting malicious SSH password authentication
attacks. Report is updated hourly.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://dataplane.org/sshpwauth.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dataplane.parser
parameters:
revision: 2018-01-20
documentation: http://dataplane.org/
public: yes
SIP Query:
description: Entries consist of fields with identifying characteristics of a
source IP address that has been seen initiating a SIP OPTIONS query to a remote
host. This report lists hosts that are suspicious of more than just port scanning.
The hosts may be SIP server cataloging or conducting various forms of telephony
abuse. Report is updated hourly.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://dataplane.org/sipquery.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dataplane.parser
parameters:
revision: 2018-01-20
documentation: http://dataplane.org/
public: yes
SIP Registration:
description: Entries consist of fields with identifying characteristics of a
source IP address that has been seen initiating a SIP REGISTER operation to
a remote host. This report lists hosts that are suspicious of more than just
port scanning. The hosts may be SIP client cataloging or conducting various
forms of telephony abuse. Report is updated hourly.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://dataplane.org/sipregistration.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dataplane.parser
parameters:
revision: 2018-01-20
documentation: http://dataplane.org/
public: yes
Turris:
Greylist:
description: The data are processed and classified every week and behaviour of
IP addresses that accessed a larger number of Turris routers is evaluated.
The result is a list of addresses that have tried to obtain information about
services on the router or tried to gain access to them. The list also
contains a list of tags for each address which
indicate what behaviour of the address was observed.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.turris.cz/greylist-data/greylist-latest.csv
rate_limit: 43200
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.turris.parser
parameters:
revision: 2018-01-20
documentation: https://project.turris.cz/en/greylist
public: yes
Greylist with PGP signature verification:
description: |
The data are processed and classified every week and behaviour of
IP addresses that accessed a larger number of Turris routers is evaluated.
The result is a list of addresses that have tried to obtain information about
services on the router or tried to gain access to them. The list also
contains a list of tags for each address which
indicate what behaviour of the address was observed.
The Turris Greylist feed provides PGP signatures for the provided files.
You will need to import the public PGP key from the linked documentation
page, currently available at
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x10876666
or from below.
See the URL Fetcher Collector documentation for more information on
PGP signature verification.
PGP Public key:
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mQINBFRl7D8BEADaRFoDa/+r27Gtqrdn8sZL4aSYTU4Q3gDr3TfigK8H26Un/Y79a/DUL1o0
o8SRae3uwVcjJDHZ6KDnxThbqF7URfpuCcCYxOs8p/eu3dSueqEGTODHWF4ChIh2japJDc4t
3FQHbIh2e3GHotVqJGhvxMmWqBFoZ/mlWvhjs99FFBZ87qbUNk7l1UAGEXeWeECgz9nGox40
3YpCgEsnJJsKC53y5LD/wBf4z+z0GsLg2GMRejmPRgrkSE/d9VjF/+niifAj2ZVFoINSVjjI
8wQFc8qLiExdzwLdgc+ggdzk5scY3ugI5IBt1zflxMIOG4BxKj/5IWsnhKMG2NLVGUYOODoG
pKhcY0gCHypw1bmkp2m+BDVyg4KM2fFPgQ554DAX3xdukMCzzZyBxR3UdT4dN7xRVhpph3Y2
Amh1E/dpde9uwKFk1oRHkRZ3UT1XtpbXtFNY0wCiGXPt6KznJAJcomYFkeLHjJo3nMK0hISV
GSNetVLfNWlTkeo93E1innbSaDEN70H4jPivjdVjSrLtIGfr2IudUJI84dGmvMxssWuM2qdg
FSzoTHw9UE9KT3SltKPS+F7u9x3h1J492YaVDncATRjPZUBDhbvo6Pcezhup7XTnI3gbRQc2
oEUDb933nwuobHm3VsUcf9686v6j8TYehsbjk+zdA4BoS/IdCwARAQABtC5UdXJyaXMgR3Jl
eWxpc3QgR2VuZXJhdG9yIDxncmV5bGlzdEB0dXJyaXMuY3o+iQI4BBMBAgAiBQJUZew/AhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDAQrU3EIdmZoH4D/9Jo6j9RZxCAPTaQ9WZ
WOdb1Eqd/206bObEX+xJAago+8vuy+waatHYBM9/+yxh0SIg2g5whd6J7A++7ePpt5XzX6hq
bzdG8qGtsCRu+CpDJ40UwHep79Ck6O/A9KbZcZW1z/DhbYT3z/ZVWALy4RtgmyC67Vr+j/C7
KNQ529bs3kP9AzvEIeBC4wdKl8dUSuZIPFbgf565zRNKLtHVgVhiuDPcxKmBEl4/PLYF30a9
5Tgp8/PNa2qp1DV/EZjcsxvSRIZB3InGBvdKdSzvs4N/wLnKWedj1GGm7tJhSkJa4MLBSOIx
yamhTS/3A5Cd1qoDhLkp7DGVXSdgEtpoZDC0jR7nTS6pXojcgQaF7SfJ3cjZaLI5rjsx0YLk
G4PzonQKCAAQG1G9haCDniD8NrrkZ3eFiafoKEECRFETIG0BJHjPdSWcK9jtNCupBYb7JCiz
Q0hwLh2wrw/wCutQezD8XfsBFFIQC18TsJAVgdHLZnGYkd5dIbV/1scOcm52w6EGIeMBBYlB
J2+JNukH5sJDA6zAXNl2I1H1eZsP4+FSNIfB6LdovHVPAjn7qXCw3+IonnQK8+g8YJkbbhKJ
sPejfg+ndpe5u0zX+GvQCFBFu03muANA0Y/OOeGIQwU93d/akN0P1SRfq+bDXnkRIJQOD6XV
0ZPKVXlNOjy/z2iN2A==
=wjkM
-----END PGP PUBLIC KEY BLOCK-----
```
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.turris.cz/greylist-data/greylist-latest.csv
name: Greylist
provider: __PROVIDER__
rate_limit: 43200
signature_url: https://www.turris.cz/greylist-data/greylist-latest.csv.asc
verify_pgp_signatures: false
parser:
module: intelmq.bots.parsers.turris.parser
parameters:
revision: 2018-01-20
documentation: https://project.turris.cz/en/greylist
public: yes
Malc0de:
Bind Format:
description: This feed includes FQDN's of malicious hosts, the file format is
in Bind file format.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://malc0de.com/bl/ZONES
rate_limit: 10800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malc0de.parser
parameters:
revision: 2018-01-20
documentation: http://malc0de.com/dashboard/
public: yes
Windows Format:
description: This feed includes FQDN's of malicious hosts, the file format is
in Windows Hosts file format.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://malc0de.com/bl/BOOT
rate_limit: 10800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malc0de.parser
parameters:
revision: 2018-01-20
documentation: http://malc0de.com/dashboard/
public: yes
IP Blacklist:
description: This feed includes IP Addresses of malicious hosts.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://malc0de.com/bl/IP_Blacklist.txt
rate_limit: 10800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malc0de.parser
parameters:
revision: 2018-01-20
documentation: http://malc0de.com/dashboard/
public: yes
University of Toulouse:
Blacklist:
description: Various blacklist feeds
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://dsi.ut-capitole.fr/blacklists/download/{collection name}.tar.gz
extract_files: 'true'
rate_limit: 43200
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.generic.parser_csv
parameters:
type: "{depends on a collection}"
delimiter: 'false'
columns: "{depends on a collection}"
revision: 2018-01-20
documentation: https://dsi.ut-capitole.fr/blacklists/
public: yes
Autoshun:
Shunlist:
description: You need to register in order to use the list.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.autoshun.org/download/?api_key=__APIKEY__&format=html
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.autoshun.parser
parameters:
revision: 2018-01-20
documentation: https://www.autoshun.org/
public: no
Danger Rulez:
Bruteforce Blocker:
description: Its main purpose is to block SSH bruteforce attacks via firewall.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://danger.rulez.sk/projects/bruteforceblocker/blist.php
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.danger_rulez.parser
parameters:
revision: 2018-01-20
documentation: http://danger.rulez.sk/index.php/bruteforceblocker/
public: yes
Spamhaus:
Drop:
description: The DROP list will not include any IP address space under the control
of any legitimate network - even if being used by "the spammers from hell".
DROP will only include netblocks allocated directly by an established Regional
Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN,
RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.spamhaus.org/drop/drop.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.spamhaus.parser_drop
parameters:
revision: 2018-01-20
documentation: https://www.spamhaus.org/drop/
public: yes
ASN Drop:
description: ASN-DROP contains a list of Autonomous System Numbers controlled
by spammers or cyber criminals, as well as "hijacked" ASNs. ASN-DROP can be
used to filter BGP routes which are being used for malicious purposes.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.spamhaus.org/drop/asndrop.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.spamhaus.parser_drop
parameters:
revision: 2018-01-20
documentation: https://www.spamhaus.org/drop/
public: yes
Dropv6:
description: The DROPv6 list includes IPv6 ranges allocated to spammers or cyber
criminals. DROPv6 will only include IPv6 netblocks allocated directly by an
established Regional Internet Registry (RIR) or National Internet Registry
(NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.spamhaus.org/drop/dropv6.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.spamhaus.parser_drop
parameters:
revision: 2018-01-20
documentation: https://www.spamhaus.org/drop/
public: yes
CERT:
description: Spamhaus CERT Insight Portal. Access limited to CERTs and CSIRTs
with national or regional responsibility.
.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: "{{ your CERT portal URL }}"
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.spamhaus.parser_cert
parameters:
revision: 2018-01-20
documentation: https://www.spamhaus.org/news/article/705/spamhaus-launches-cert-insight-portal
public: no
EDrop:
description: EDROP is an extension of the DROP list that includes sub-allocated
netblocks controlled by spammers or cyber criminals. EDROP is meant to be
used in addition to the direct allocations on the DROP list.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.spamhaus.org/drop/edrop.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.spamhaus.parser_drop
parameters:
revision: 2018-01-20
documentation: https://www.spamhaus.org/drop/
public: yes
PhishTank:
Online:
description: PhishTank is a collaborative clearing house for data and information
about phishing on the Internet.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://data.phishtank.com/data/{{ your API key }}/online-valid.csv
rate_limit: 28800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.phishtank.parser
parameters:
revision: 2018-01-20
documentation: https://www.phishtank.com/developer_info.php
public: no
CINSscore:
Army List:
description: 'The CINS Army list is a subset of the CINS Active Threat Intelligence
ruleset, and consists of IP addresses that meet one of two basic criteria:
1) The IP''s recent Rogue Packet score factor is very poor, or 2) The IP has
tripped a designated number of ''trusted'' alerts across a given number of
our Sentinels deployed around the world.'
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://cinsscore.com/list/ci-badguys.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.ci_army.parser
parameters:
revision: 2018-01-20
documentation: https://cinsscore.com/#list
public: yes
Blocklist.de:
IRC Bots:
description: No description provided by feed provider.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/ircbot.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
Strong IPs:
description: Blocklist.DE Strong IPs Collector is the bot responsible to get
the report from source of information. All IPs which are older then 2 month
and have more then 5.000 attacks.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/strongips.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
Mail:
description: Blocklist.DE Mail Collector is the bot responsible to get the report
from source of information. All IP addresses which have been reported within
the last 48 hours as having run attacks on the service Mail, Postfix.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/mail.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
Apache:
description: Blocklist.DE Apache Collector is the bot responsible to get the
report from source of information. All IP addresses which have been reported
within the last 48 hours as having run attacks on the service Apache, Apache-DDOS,
RFI-Attacks.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/apache.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
FTP:
description: Blocklist.DE FTP Collector is the bot responsible to get the report
from source of information. All IP addresses which have been reported within
the last 48 hours for attacks on the Service FTP.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/ftp.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
SSH:
description: Blocklist.DE SSH Collector is the bot responsible to get the report
from source of information. All IP addresses which have been reported within
the last 48 hours as having run attacks on the service SSH.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/ssh.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
Brute-force Logins:
description: Blocklist.DE Brute-force Login Collector is the bot responsible
to get the report from source of information. All IPs which attacks Joomlas,
Wordpress and other Web-Logins with Brute-Force Logins.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/bruteforcelogin.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
Bots:
description: Blocklist.DE Bots Collector is the bot responsible to get the report
from source of information. All IP addresses which have been reported within
the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots,
IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum
or Wiki).
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/bots.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
IMAP:
description: Blocklist.DE IMAP Collector is the bot responsible to get the report
from source of information. All IP addresses which have been reported within
the last 48 hours for attacks on the service like IMAP, SASL, POP3, etc.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/imap.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
SIP:
description: Blocklist.DE SIP Collector is the bot responsible to get the report
from source of information. All IP addresses that tried to login in a SIP-,
VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/
(Twitter).
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://lists.blocklist.de/lists/sip.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.blocklistde.parser
parameters:
revision: 2018-01-20
documentation: http://www.blocklist.de/en/export.html
public: yes
CERT-Bund:
CB-Report Malware infections via IMAP:
description: CERT-Bund sends reports for the malware-infected hosts.
additional_information: Traffic from malware related hosts contacting
command-and-control servers is caught and sent to national CERT teams.
There are two e-mail feeds with identical CSV structure -- one reports on
general malware infections, the other on the Avalanche botnet.
bots:
collector:
module: intelmq.bots.collectors.mail.collector_mail_attach
parameters:
mail_host: __HOST__
mail_password: __PASSWORD__
mail_ssl: true
mail_user: __USERNAME__
attach_regex: events.csv
extract_files: false
rate_limit: 86400
subject_regex: ^\\[CB-Report#.* Malware infections (\\(Avalanche\\) )?in country
folder: INBOX
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.generic.parser_csv
parameters:
skip_header: true
default_url_protocol: http://
time_format: from_format|%Y-%m-%d %H:%M:%S
delimiter: ","
columns:
- source.asn
- source.ip
- time.source
- classification.type
- malware.name
- source.port
- destination.ip
- destination.port
- destination.fqdn
- protocol.transport
type: infected-system
revision: 2020-08-20
documentation:
public: no
CERT.PL:
N6 Stomp Stream:
description: N6 Collector - CERT.pl's N6 Collector - N6 feed via STOMP interface.
Note that rate_limit does not apply for this bot as it is waiting for messages
on a stream.
additional_information: Contact cert.pl to get access to the feed.
bots:
collector:
module: intelmq.bots.collectors.stomp.collector
parameters:
exchange: "{insert your exchange point as given by CERT.pl}"
ssl_client_certificate_key: "{insert path to client cert key file for
CERT.pl's n6}"
ssl_ca_certificate: "{insert path to CA file for CERT.pl's n6}"
port: '61614'
ssl_client_certificate: "{insert path to client cert file for CERTpl's
n6}"
server: n6stream.cert.pl
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.n6.parser_n6stomp
parameters:
revision: 2018-01-20
documentation: https://n6.cert.pl/en/
public: no
AlienVault:
OTX:
description: AlienVault OTX Collector is the bot responsible to get the report
through the API. Report could vary according to subscriptions.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.alienvault_otx.collector
parameters:
api_key: "{{ your API key }}"
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.alienvault.parser_otx
parameters:
revision: 2018-01-20
documentation: https://otx.alienvault.com/
public: no
Reputation List:
description: List of malicious IPs.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://reputation.alienvault.com/reputation.data
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.alienvault.parser
parameters:
revision: 2018-01-20
documentation:
public: yes
CleanMX:
Virus:
description: In order to download the CleanMX feed you need to use a custom
user agent and register that user agent.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&domain=
http_timeout_sec: 120
http_user_agent: "{{ your user agent }}"
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cleanmx.parser
parameters:
revision: 2018-01-20
documentation: http://clean-mx.de/
public: no
Phishing:
description: In order to download the CleanMX feed you need to use a custom
user agent and register that user agent.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&domain=
http_timeout_sec: 120
http_user_agent: "{{ your user agent }}"
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cleanmx.parser
parameters:
revision: 2018-01-20
documentation: http://clean-mx.de/
public: no
AnubisNetworks:
Cyberfeed Stream:
description: Fetches and parsers the Cyberfeed data stream.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http_stream
parameters:
http_url: https://prod.cyberfeed.net/stream?key={{ your API key }}
strip_lines: 'true'
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.anubisnetworks.parser
parameters:
use_malware_familiy_as_classification_identifier: true
revision: 2020-06-15
documentation: https://www.anubisnetworks.com/ https://www.bitsight.com/
public: no
Bambenek:
C2 Domains:
description: 'Master Feed of known, active and non-sinkholed C&Cs domain
names. Requires access credentials.'
additional_information: 'License: https://osint.bambenekconsulting.com/license.txt'
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://faf.bambenekconsulting.com/feeds/c2-dommasterlist.txt
http_username: __USERNAME__
http_password: __PASSWORD__
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.bambenek.parser
parameters:
revision: 2018-01-20
documentation: https://osint.bambenekconsulting.com/feeds/
public: no
C2 IPs:
description: 'Master Feed of known, active and non-sinkholed C&Cs IP addresses.
Requires access credentials.'
additional_information: 'License: https://osint.bambenekconsulting.com/license.txt'
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://faf.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
http_username: __USERNAME__
http_password: __PASSWORD__
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.bambenek.parser
parameters:
revision: 2018-01-20
documentation: https://osint.bambenekconsulting.com/feeds/
public: no
DGA Domains:
description: Domain feed of known DGA domains from -2 to +3 days
additional_information: 'License: https://osint.bambenekconsulting.com/license.txt'
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://faf.bambenekconsulting.com/feeds/dga-feed.txt
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.bambenek.parser
parameters:
revision: 2018-01-20
documentation: https://osint.bambenekconsulting.com/feeds/
public: yes
cAPTure:
Ponmocup Domains CIF Format:
description: List of ponmocup malware redirection domains and infected web-servers from cAPTure.
See also http://security-research.dyndns.org/pub/botnet-links.htm
and http://c-apt-ure.blogspot.com/search/label/ponmocup
The data in the CIF format is not equal to the Shadowserver CSV format. Reasons are unknown.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt
rate_limit: 10800
name: Infected Domains
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dyn.parser
parameters:
revision: 2018-01-20
documentation: http://security-research.dyndns.org/pub/malware-feeds/
public: yes
Ponmocup Domains Shadowserver Format:
description: List of ponmocup malware redirection domains and infected web-servers from cAPTure.
See also http://security-research.dyndns.org/pub/botnet-links.htm
and http://c-apt-ure.blogspot.com/search/label/ponmocup
The data in the Shadowserver CSV is not equal to the CIF format format. Reasons are unknown.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-shadowserver.csv
rate_limit: 10800
name: Infected Domains
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.generic.parser_csv
parameters:
columns:
- time.source
- source.ip
- source.fqdn
- source.urlpath
- source.port
- protocol.application
- extra.tag
- extra.redirect_target
- extra.category
compose_fields: {"source.url": "http://{0}{1}"}
skip_header: true
delimiter: ","
type: malware-distribution
revision: 2020-07-08
documentation: http://security-research.dyndns.org/pub/malware-feeds/
public: yes
DShield:
Suspicious Domains:
description: There are many suspicious domains on the internet. In an effort
to identify them, as well as false positives, we have assembled weighted lists
based on tracking and malware lists from different sources. ISC is collecting
and categorizing various lists associated with a certain level of sensitivity.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.dshield.org/feeds/suspiciousdomains_High.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dshield.parser_domain
parameters:
revision: 2018-01-20
documentation: https://www.dshield.org/reports.html
public: yes
Block:
description: This list summarizes the top 20 attacking class C (/24) subnets
over the last three days. The number of 'attacks' indicates the number of
targets reporting scans from this subnet.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.dshield.org/block.txt
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dshield.parser_block
parameters:
revision: 2018-01-20
documentation: https://www.dshield.org/reports.html
public: yes
AS Details:
description: No description provided by feed provider.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://dshield.org/asdetailsascii.html?as={{ AS Number }}
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.dshield.parser_asn
parameters:
revision: 2018-01-20
documentation: https://www.dshield.org/reports.html
public: yes
VXVault:
URLs:
description: This feed provides IP addresses hosting Malware.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://vxvault.net/URL_List.php
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.vxvault.parser
parameters:
revision: 2018-01-20
documentation: http://vxvault.net/ViriList.php
public: yes
Shadowserver:
Via IMAP:
description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports).
additional_information: The configuration retrieves the data from a e-mails via IMAP from the attachments.
bots:
collector:
module: intelmq.bots.collectors.mail.collector_mail_attach
parameters:
mail_host: __HOST__
mail_password: __PASSWORD__
mail_ssl: true
mail_user: __USERNAME__
attach_regex: csv.zip
extract_files: true
rate_limit: 86400
subject_regex: __REGEX__
folder: INBOX
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.shadowserver.parser
parameters:
revision: 2018-01-20
documentation: https://www.shadowserver.org/what-we-do/network-reporting/
public: no
Via Request Tracker:
description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports).
additional_information: The configuration retrieves the data from a RT/RTIR ticketing instance via the attachment or an download.
bots:
collector:
module: intelmq.bots.collectors.rt.collector_rt
parameters:
attachment_regex: \\.csv\\.zip$
extract_attachment: true
extract_download: false
http_password: "{{ your HTTP Authentication password or null }}"
http_username: "{{ your HTTP Authentication username or null }}"
password: __PASSWORD__
provider: __PROVIDER__
rate_limit: 3600
search_not_older_than: "{{ relative time or null }}"
search_owner: nobody
search_queue: Incident Reports
search_requestor: autoreports@shadowserver.org
search_status: new
search_subject_like: \[__COUNTRY__\] Shadowserver __COUNTRY__
set_status: open
take_ticket: true
uri: http://localhost/rt/REST/1.0
url_regex: https://dl.shadowserver.org/[a-zA-Z0-9?_-]*
user: __USERNAME__
parser:
module: intelmq.bots.parsers.shadowserver.parser
parameters:
revision: 2018-01-20
documentation: https://www.shadowserver.org/what-we-do/network-reporting/
public: no
Via API:
description: Shadowserver sends out a variety of reports to subscribers, see documentation.
additional_information: This configuration fetches user-configurable reports from the Shadowserver Reports API. For a list of reports, have a look at the Shadowserver collector and parser documentation.
bots:
collector:
module: intelmq.bots.collectors.shadowserver.collector_reports_api
parameters:
country: <CC>
api_key: <API key>
secret: <API secret>
types: <single report or list of reports>
rate_limit: 86400
redis_cache_db: 12
redis_cache_host: 127.0.0.1
redis_cache_port: 6379
redis_cache_ttl: 864000
parser:
module: intelmq.bots.parsers.shadowserver.parser_json
parameters:
revision: 2020-01-08
documentation: https://www.shadowserver.org/what-we-do/network-reporting/api-documentation/
public: no
Fraunhofer:
DGA Archive:
description: Fraunhofer DGA collector fetches data from Fraunhofer's domain
generation archive.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://dgarchive.caad.fkie.fraunhofer.de/today
http_password: "{{ your password}}"
http_username: "{{ your username}}"
rate_limit: 10800
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.fraunhofer.parser_dga
parameters:
revision: 2018-01-20
documentation: https://dgarchive.caad.fkie.fraunhofer.de/welcome/
public: no
MalwareURL:
Latest malicious activity:
description: Latest malicious domains/IPs.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.malwareurl.com/
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malwareurl.parser
parameters:
revision: 2018-02-05
documentation: https://www.malwareurl.com/
public: yes
Microsoft:
BingMURLs via Interflow:
description: Collects Malicious URLs detected by Bing from the Interflow API. The feed is available via Microsofts Government Security Program (GSP).
additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector.
bots:
collector:
module: intelmq.bots.collectors.microsoft.collector_interflow
parameters:
api_key: "{{your API key}}"
file_match: "^bingmurls_"
not_older_than: "2 days"
rate_limit: 3600
http_timeout_sec: 300
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.microsoft.parser_bingmurls
parameters:
revision: 2018-05-29
documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange
public: no
CTIP via Interflow:
description: Collects the CTIP Infected feed (Sinkhole data for your country) files from the Interflow API.The feed is available via Microsofts Government Security Program (GSP).
additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. As many IPs occur very often in the data, you may want to use a deduplicator specifically for the feed.
bots:
collector:
module: intelmq.bots.collectors.microsoft.collector_interflow
parameters:
api_key: "{{your API key}}"
file_match: "^ctip_"
not_older_than: "2 days"
rate_limit: 3600
http_timeout_sec: 300
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.microsoft.parser_ctip
parameters:
revision: 2018-03-06
documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange
public: no
CTIP Infected via Azure:
description: Collects the CTIP (Sinkhole data) from a shared Azure Storage. The feed is available via Microsofts Government Security Program (GSP).
additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information.
bots:
collector:
module: intelmq.bots.collectors.microsoft.collector_azure
parameters:
connection_string: "{{your connection string}}"
container_name: "ctip-infected-summary"
name: __FEED__
provider: __PROVIDER__
rate_limit: 3600
redis_cache_db: 5
redis_cache_host: 127.0.0.1
redis_cache_port: 6379
redis_cache_ttl: 864000
parser:
module: intelmq.bots.parsers.microsoft.parser_ctip
parameters:
revision: 2020-05-29
documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange
public: no
CTIP C2 via Azure:
description: Collects the CTIP C2 feed from a shared Azure Storage. The feed is available via Microsofts Government Security Program (GSP).
additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information.
bots:
collector:
module: intelmq.bots.collectors.microsoft.collector_azure
parameters:
connection_string: "{{your connection string}}"
container_name: "ctip-c2"
name: __FEED__
provider: __PROVIDER__
rate_limit: 3600
redis_cache_db: 5
redis_cache_host: 127.0.0.1
redis_cache_port: 6379
redis_cache_ttl: 864000
parser:
module: intelmq.bots.parsers.microsoft.parser_ctip
parameters:
revision: 2020-05-29
documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange
public: no
Threatminer:
Recent domains:
description: Latest malicious domains.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://www.threatminer.org/
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.threatminer.parser
parameters:
revision: 2018-02-06
documentation: https://www.threatminer.org/
public: yes
Calidog:
CertStream:
description: HTTP Websocket Stream from certstream.calidog.io providing data from Certificate Transparency Logs.
additional_information: Be aware that this feed provides a lot of data and may overload your system quickly.
bots:
collector:
module: intelmq.bots.collectors.calidog.collector_certstream
parameters:
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.calidog.parser_certstream
parameters:
revision: 2018-06-15
documentation: https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067
public: yes
McAfee Advanced Threat Defense:
Sandbox Reports:
description: Processes reports from McAfee's sandboxing solution via the openDXL API.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.opendxl.collector
parameters:
dxl_config_file: "{{location of dxl configuration file}}"
dxl_topic: "/mcafee/event/atd/file/report"
parser:
module: intelmq.bots.parsers.mcafee.parser_atd
parameters:
verdict_severity: 4
revision: 2018-07-05
documentation: https://www.mcafee.com/enterprise/en-us/products/advanced-threat-defense.html
public: no
CyberCrime Tracker:
Latest:
description: C2 servers
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://cybercrime-tracker.net/index.php
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.html_table.parser
parameters:
columns: ["time.source", "source.url", "source.ip", "malware.name", "__IGNORE__"]
skip_table_head: true
default_url_protocol: http://
type: c2server
revision: 2019-03-19
documentation: https://cybercrime-tracker.net/index.php
public: yes
PrecisionSec:
Agent Tesla:
description: Agent Tesla IoCs, URLs where the malware is hosted.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.html_table.parser
parameters:
columns: ["source.ip|source.url", "time.source"]
skip_table_head: true
default_url_protocol: http://
type: malware
revision: 2019-04-02
documentation: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/
public: yes
Have I Been Pwned:
Enterprise Callback:
description: With the Enterprise Subscription of 'Have I Been Pwned' you are able to provide a callback URL and any new leak data is submitted to it. It is recommended to put a webserver with Authorization check, TLS etc. in front of the API collector.
additional_information: |
"A minimal nginx configuration could look like:
```
server {
listen 443 ssl http2;
server_name [your host name];
client_max_body_size 50M;
ssl_certificate [path to your key];
ssl_certificate_key [path to your certificate];
location /[your private url] {
if ($http_authorization != '[your private password]') {
return 403;
}
proxy_pass http://localhost:5001/intelmq/push;
proxy_read_timeout 30;
proxy_connect_timeout 30;
}
}
```
"
bots:
collector:
module: intelmq.bots.collectors.api.collector_api
parameters:
port: 5001
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.hibp.parser_callback
parameters:
revision: 2019-09-11
documentation: https://haveibeenpwned.com/EnterpriseSubscriber/
public: no
Strangereal Intel:
DailyIOC:
description: Daily IOC from tweets and articles
additional_information: |
collector's `extra_fields` parameter may be any of fields from the github `content API response <https://developer.github.com/v3/repos/contents/>`_
bots:
collector:
module: intelmq.bots.collectors.github_api.collector_github_contents_api
parameters:
basic_auth_username: USERNAME
basic_auth_password: PASSWORD
repository: StrangerealIntel/DailyIOC
regex: .*.json
parser:
module: intelmq.bots.parsers.github_feed
parameters:
revision: 2019-12-05
documentation: https://github.com/StrangerealIntel/DailyIOC
public: yes
CZ.NIC:
HaaS:
description: SSH attackers against HaaS (Honeypot as a Service) provided by CZ.NIC, z.s.p.o. The dump is published once a day.
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
extract_files: true
http_url: https://haas.nic.cz/stats/export/{time[%Y/%m/%Y-%m-%d]}.json.gz
http_url_formatting:
days: -1
rate_limit: 86400
parser:
module: intelmq.bots.parsers.cznic.parser_haas
parameters:
revision: 2020-07-22
documentation: https://haas.nic.cz/
public: yes
Proki:
description: Aggregation of various sources on malicious IP addresses (malware spreaders or C&C servers).
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: https://proki.csirt.cz/api/1/__APIKEY__/data/day/{time[%Y/%m/%d]}
http_url_formatting:
days: -1
rate_limit: 86400
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.cznic.parser_proki
parameters:
revision: 2020-08-17
documentation: https://csirt.cz/en/proki/
public: no
ESET:
ETI Domains:
description: Domain data from ESET's TAXII API.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.eset.collector
parameters:
username: <username>
password: <password>
endpoint: eti.eset.com
time_delta: 3600
collection: ei.domains v2 (json)
parser:
module: intelmq.bots.parsers.eset.parser
parameters:
revision: 2020-06-30
documentation: https://www.eset.com/int/business/services/threat-intelligence/
public: no
ETI URLs:
description: URL data from ESET's TAXII API.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.eset.collector
parameters:
username: <username>
password: <password>
endpoint: eti.eset.com
time_delta: 3600
collection: ei.urls (json)
parser:
module: intelmq.bots.parsers.eset.parser
parameters:
revision: 2020-06-30
documentation: https://www.eset.com/int/business/services/threat-intelligence/
public: no
Shodan:
Country Stream:
description: Collects the Shodan stream for one or multiple countries from the Shodan API.
additional_information: A Shodan account with streaming permissions is needed.
bots:
collector:
module: intelmq.bots.collectors.shodan.collector_stream
parameters:
api_key: <API key>
countries: <comma-separated list of country codes>
error_retry_delay: 0
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.shodan.parser
parameters:
ignore_errors: false
error_retry_delay: 0
minimal_mode: false
revision: 2021-03-22
documentation: https://developer.shodan.io/api/stream
public: no
Reference in New Issue View Git Blame Copy Permalink