威胁情报数据源

本篇整理公开的威胁情报数据源，但公开不等于无版权，注意哦～

IOC Repositories

These repo’s contain threat intelligence generally updated manually when the respective orgs publish threat reports.[2]

• https://github.com/aptnotes/data
• https://github.com/citizenlab/malware-indicators
• https://github.com/da667/667s_Shitlist
• https://github.com/eset/malware-ioc
• https://github.com/fireeye/iocs
• https://github.com/Neo23x0/signature-base/tree/master/iocs
• https://github.com/pan-unit42/iocs
• https://github.com/stamparm/maltrail/tree/master/trails/static/malware
• https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious

IOC Feeds

These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): 1, 2, 3, 4, 5, 6. They are in alphabetical order.[2]

• http://antispam.imp.ch/wormlist
• http://app.webinspector.com/recent_detections
• http://atrack.h3x.eu/api/asprox_suspected.php
• http://autoshun.org/files/shunlist.csv
• http://blocklist.greensnow.co/greensnow.txt
• http://botscout.com/last.htm
• http://botscout.com/last_caught_cache.htm
• http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
• http://cinsscore.com/list/ci-badguys.txt
• http://cybercrime-tracker.net/all.php
• http://cybercrime-tracker.net/ccam.php
• http://cybercrime-tracker.net/ccpmgate.php
• http://danger.rulez.sk/projects/bruteforceblocker/blist.php
• http://data.netlab.360.com/feeds/dga/dga.txt
• http://data.netlab.360.com/feeds/ek/magnitude.txt
• http://data.netlab.360.com/feeds/ek/neutrino.txt
• http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
• http://data.phishtank.com/data/online-valid.csv
• http://dns-bh.sagadc.org/dynamic_dns.txt
• http://feeds.dshield.org/top10-2.txt
• http://hosts-file.net/?s=Browse&f=2014
• http://labs.snort.org/feeds/ip-filter.blf
• http://labs.sucuri.net/?malware
• http://lists.blocklist.de/lists/all.txt
• http://malc0de.com/bl/BOOT
• http://malc0de.com/bl/IP_Blacklist.txt
• http://malc0de.com/rss/
• http://malwaredb.malekal.com/
• http://malwaredomains.lehigh.edu/files/domains.txt
• http://malwareurls.joxeankoret.com/normal.txt
• http://mirror2.malwaredomains.com/files/immortal_domains.txt
• http://mirror2.malwaredomains.com/files/justdomains
• http://multiproxy.org/txt_all/proxy.txt
• http://openphish.com/feed.txt
• http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
• http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
• http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
• http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
• http://osint.bambenekconsulting.com/feeds/c2-masterlist.txt
• http://osint.bambenekconsulting.com/feeds/dga-feed.txt
• http://ransomwaretracker.abuse.ch
• http://report.rutgers.edu/DROP/attackers
• http://reputation.alienvault.com/reputation.data
• http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules
• http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
• http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules
• http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
• http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
• http://sblam.com/blacklist.txt
• http://support.clean-mx.de/clean-mx/xmlviruses.php
• http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
• http://tracker.h3x.eu/api/sites_1day.php
• http://virbl.org/download/virbl.dnsbl.bit.nl.txt
• http://vmx.yourcmc.ru/BAD_HOSTS.IP4
• http://vxvault.net/URL_List.php
• http://vxvault.siri-urz.net/URL_List.php
• http://vxvault.siri-urz.net/ViriList.php
• http://www.autoshun.org/files/shunlist.csv
• http://www.blocklist.de/lists/apache.txt
• http://www.blocklist.de/lists/asterisk.txt
• http://www.blocklist.de/lists/bots.txt
• http://www.blocklist.de/lists/courierimap.txt
• http://www.blocklist.de/lists/courierpop3.txt
• http://www.blocklist.de/lists/email.txt
• http://www.blocklist.de/lists/ftp.txt
• http://www.blocklist.de/lists/imap.txt
• http://www.blocklist.de/lists/ircbot.txt
• http://www.blocklist.de/lists/pop3.txt
• http://www.blocklist.de/lists/postfix.txt
• http://www.blocklist.de/lists/proftpd.txt
• http://www.blocklist.de/lists/sip.txt
• http://www.blocklist.de/lists/ssh.txt
• http://www.botvrij.eu/data/ioclist.url
• http://www.ciarmy.com/list/ci-badguys.txt
• http://www.dshield.org/ipsascii.html?limit=10000
• http://www.falconcrest.eu/IPBL.aspx
• http://www.joewein.net/dl/bl/dom-bl-base.txt
• http://www.joewein.net/dl/bl/dom-bl.txt
• http://www.malware-traffic-analysis.net
• http://www.malwareblacklist.com/showAllMalwareURL.php?userName=Guest&sessionID=&downloadOption=0
• http://www.malwaredomainlist.com/hostslist/ip.txt
• http://www.malwaredomainlist.com/updatescsv.php
• http://www.malwaregroup.com/ipaddresses
• http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/
• http://www.mirc.com/servers.ini
• http://www.nothink.org/blacklist/blacklist_malware_dns.txt
• http://www.nothink.org/blacklist/blacklist_malware_http.txt
• http://www.nothink.org/blacklist/blacklist_malware_irc.txt
• http://www.nothink.org/blacklist/blacklist_snmp_2015.txt
• http://www.nothink.org/blacklist/blacklist_ssh_day.txt
• http://www.projecthoneypot.org/list_of_ips.php
• http://www.spamhaus.org/drop/drop.txt
• http://www.spamhaus.org/drop/edrop.txt
• http://www.stopforumspam.com/downloads/listed_ip_1_all.zip
• http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
• http://www.urlvir.com/export-hosts/
• http://www.voipbl.org/update/
• https://atlas.arbor.net/summary/domainlist
• https://dataplane.org/sshclient.txt
• https://dataplane.org/sshpwauth.txt
• https://disconnect.me/lists/malvertising
• https://disconnect.me/lists/malwarefilter
• https://dragonresearchgroup.org/insight/sshpwauth.txt
• https://dragonresearchgroup.org/insight/vncprobe.txt
• https://feodotracker.abuse.ch
• https://github.com/stamparm/maltrail/blob/master/trails/static/mass_scanner.txt
• https://gitlab.com/ZeroDot1/CoinBlockerLists/blob/master/list.txt
• https://isc.sans.edu/feeds/daily_sources
• https://isc.sans.edu/feeds/suspiciousdomains_High.txt
• https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
• https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
• https://isc.sans.edu/feeds/topips.txt
• https://isc.sans.edu/ipsascii.html
• https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian
• https://malc0de.com/bl/ZONES
• https://malsilo.gitlab.io/feeds/dumps/url_list.txt
• https://malwared.malwaremustdie.org/rss.php
• https://malwared.malwaremustdie.org/rss_bin.php
• https://malwared.malwaremustdie.org/rss_ssh.php
• https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt
• https://onionoo.torproject.org/details?type=relay&running=true
• https://palevotracker.abuse.ch
• https://paste.cryptolaemus.com/feed.xml
• https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset
• https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset
• https://raw.githubusercontent.com/futpib/policeman-rulesets/master/examples/simple_domains_blacklist.txt
• https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt
• https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules
• https://secure.dshield.org/ipsascii.html?limit=1000
• https://sslbl.abuse.ch
• https://techhelplist.com/maltlqr/reports/dyreza.txt
• https://techhelplist.com/pastes
• https://techhelplist.com/spam-list
• https://threatfeeds.io/
• https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
• https://urlhaus.abuse.ch/downloads/csv/
• https://www.badips.com/get/list/any/2?age=7d
• https://www.circl.lu/doc/misp/feed-osint/
• https://www.dan.me.uk/torlist/
• https://www.hidemyass.com/vpn-config/l2tp/
• https://www.malwaredomainlist.com/hostslist/hosts.txt
• https://www.maxmind.com/en/anonymous_proxies
• https://www.maxmind.com/en/high-risk-ip-sample-list
• https://www.openbl.org/lists/base.txt
• https://www.openbl.org/lists/base_all_ftp-only.txt
• https://www.openbl.org/lists/base_all_http-only.txt
• https://www.openbl.org/lists/base_all_smtp-only.txt
• https://www.openbl.org/lists/base_all_ssh-only.txt
• https://www.packetmail.net/iprep.txt
• https://www.packetmail.net/iprep_CARISIRT.txt
• https://www.packetmail.net/iprep_ramnode.txt
• https://www.trustedsec.com/banlist.txt
• https://www.turris.cz/greylist-data/greylist-latest.csv
• https://zeustracker.abuse.ch

杂·情报源

• Cisco Threat Research Blog – https://blogs.cisco.com/talos
• CIRCL – https://www.circl.lu/
• Malwr.com – https://malwr.com
• ipinfo – https://www.ipinfo.io
• Robtex – https://www.robtex.com
• CleanMX – https://www.cleanmx.com
• VirusShare – https://www.virusshare.com
• Sinica – https://www.sinica.edu.tw
• Native – ThreatMiner also periodically carries out its own DNS enrichment via native applications.
• Loki https://github.com/Neo23x0/Loki
• Maltiverse https://maltiverse.com/dashboards/newioc
• InQuest Labs IOC DB https://labs.inquest.net/iocdb
• Abuse.ch http://abuse.ch/
• Anomali STAXX https://www.anomali.com/community/staxx
• Autoshun https://www.autoshun.org
• Bambenek https://www.bambenekconsulting.com/
• Block List Project https://blocklist.site/
• Bitdefender (Advanced Threat Intelligence) https://www.bitdefender.com/
• BruteForceBlocker http://danger.rulez.sk/index.php/bruteforceblocker/
• CERT-EU https://cert.europa.eu/cert/filteredition/en/CERTLatestNews.html/
• http://cinsscore.com/ http://cinsscore.com/
• Collaborative Research Into Threats
• CRITs https://crits.github.io/
• Comodo Site Inspector http://siteinspector.comodo.com/
• DNS8 https://www.layer8.pt/products/dns8/
• DShield https://www.dshield.org/
• ESET https://www.eset.com
• Fortinet https://www.fortinet.com/
• Google Safebrowsing https://safebrowsing.google.com/
• Hybrid Analysis https://www.hybrid-analysis.com/
• Malc0de http://malc0de.com/
• Malshare https://malshare.com/
• MISP Platform https://www.misp-project.org/
• National Certs (NCSC-FI example) https://www.cybersecurityintelligence.com/nationalcyber-security-centre-finland-ncsc-fi-1916.html
• OpenPhish https://openphish.com
• OTX AlienVault https://otx.alienvault.com/
• PhishTank https://www.phishtank.com/
• Proofpoint https://www.proofpoint.com/us/daily-rulesetupdate-summary
• Shadowserver https://www.shadowserver.org/
• Spamhaus https://www.spamhaus.org/
• TalosIntelligence https://talosintelligence.com
• Threat Miner https://www.threatminer.org/
• Trustwave (SpiderLabs Blog) https://www.trustwave.com
• US DHS – Automated Indicator Sharing https://www.cisa.gov/automated-indicator-sharing-ais
• Virus Total https://www.virustotal.com

详细的类别

References

[1] 威胁情报源, ThreatHunter, https://www.jianshu.com/p/747e57705535

[2] Threat Intelligence, Jason Trost, http://www.covert.io/threat-intelligence/