IOC Sources
This page contains list of the sources which can be used to build RPZs. The list is not comprehensive (and can not be comprehensive) if you find a new good source of IOC, please share. The list is organized by date when a source was added. Some sources requires a subscription, so please check descriptions before copy/paste.
URL: https://www.infoblox.com/products/bloxone-threat-defense/
Sample BloxOne Threat Defense TIDE IP source with IOCs expiration time.
{source,{"at_ip_w_exp","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/ip?profile=IID&field=ip,expiration&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.
Sample BloxOne Threat Defense TIDE Host source without IOCs expiration time. It is recommended to use expiration time.
{source,{"at_hosts","https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/host?profile=IID&field=host&data_format=csv","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.
Sample BloxOne Threat Defense TIDE IPv4 feed converted to IPv6 feed for IPv6 only networks.
This examples highlights how to use "shell" source type to preprocess threat indicators before passing them to ioc2rpz.
{source,{"TIDE_IPv6","shell:/usr/bin/curl -sL 'https://**APIKEY**@api.activetrust.net:8000/api/data/threats/state/ip?profile=IID&field=ip,expiration&data_format=csv&no_headers=yes' | gawk -F '[.,]' --non-decimal-data '{ printf \"::ffff:%x%0.2x:%x%0.2x,%s\\n\", $1, $2, $3, $4, $5 }'","[:AXFR:]&from_date=[:FTimestamp:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9:][:A-Za-z0-9\-\._]+)\"?\'?,?([0-9:TZtz -.]+)?$"}}.
You can use an universal shell: source type to fetch RPZ feeds. In the example below you need to provide TSIG key and a server name or IP. base.rpz.infoblox.local is used as a sample feed name. You may use full feed name or just part to extract a domain/fqdn from a rule (awk command).
{source,{"base.rpz","shell:/usr/bin/dig -y **KEYNAME**:**TSIGKEY** @**SERVER** **base.rpz.infoblox.local** axfr | /bin/grep -e CNAME | /bin/grep -v '*.' | /usr/bin/awk -F '.base.rpz' '{print $1}'","",none}}.
URL: http://data.netlab.360.com
{source,{"dga","http://data.netlab.360.com/feeds/dga/dga.txt","[:AXFR:]","^[^\s\t]*[\s\t]*([A-Za-z0-9][A-Za-z0-9\-\._]+)[\s\t]*.*:00[\s\t]*([0-9: -]+)$"}}.
{source,{"blackhole","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.
This is a sample zone with IOC expiration. Usually expiration date is not required for DGA, because the zone can be timely updated.
{source,{"blackhole_exp","http://data.netlab.360.com/feeds/dga/blackhole.txt","[:AXFR:]","^([A-Za-z0-9][A-Za-z0-9\-\._]+)\t.*:00\t([0-9: -]+)$"}}.
{source,{"cryptolocker","http://data.netlab.360.com/feeds/dga/cryptolocker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.
{source,{"conficker","http://data.netlab.360.com/feeds/dga/conficker.txt","[:AXFR:]","^(?!host)(?!ip)\"?\'?([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"}}.
{source,{"bot.list","http://data.netlab.360.com/feeds/hajime-scanner/bot.list","[:AXFR:]","ip=([0-9\.]+)$"}}.
Other DGA lists you can find on the NetLab web-site.
Using MaxMind's DB you can built RPZs which will prevent an access to specific countries or cities. Minimal local file processing is required:
- unzipping the file;
- filtering counties/cities to which an access should be restricted.
http://dev.maxmind.com/geoip/geoip2/geolite2/#MaxMind_APIs
http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
{source,{"geo_north_korea","file:cfg/GeoLite2-Country-Blocks-IPv4.csv","[:AXFR:]","^([^,]+),.*1873107.*"}}.
URL: https://github.com/notracking/hosts-blocklists
Description: No more ads, tracking and other virtual garbage. This repository provides a host and domain name based blocklist. Most entries are gathered from multiple, actively maintained sources and automatically updated, cleaned, optimized and moderated on a daily basis. The blocklists support both ipv4 and ipv6.
{source,{"notracking_hosts","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt","[:AXFR:]","^0\.0\.0\.0 ([A-Za-z0-9\._\-]+[A-Za-z])$"}}.
{source,{"notracking_domains","https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt","[:AXFR:]","^address=\/([A-Za-z0-9\._\-]+[A-Za-z])\/0\.0\.0\.0$"}}.
URL: https://www.phishtank.com
Description: PhishTank is a free community site where anyone can submit, verify, track and share phishing data. The source contains only phishing domains (URLs are not included) and IPs.
{source,{"phishtank","shell:/usr/bin/curl -sL http://data.phishtank.com/data/**APIKEY**/online-valid.csv | /usr/bin/gawk 'matc
h($0,/^[0-9]+,[^\\/]*\\/\\/([^\\/]+)\\/?,[^,]+,[^,]+,yes,/,a) {print a[1]}' | sort | uniq","[:AXFR:]",none}}.