Solved: What are the open threat lists Optiv Threat Intel ...

Makinde · ‎02-11-2016

Hi Derek,

I am just curious to know the various feeds Optiv Threat Intel makes use of?

I would like to know so I am not duplicating threat intelligence in my network.

Thanks

derekarnold · ‎02-11-2016

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

View solution in original post

derekarnold · ‎02-11-2016

Hi Makinde,
Here's the current list. If there is overlap with other data sources, I can tell you the app is pretty lightweight on license utilization, disk, and CPU cores.

SpamHaus, Dshield, Frodo
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Emerging Threats Compromised IPs
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Binary Defense.
URL: http://www.binarydefense.com/banlist.txt
malc0de_IPs.
URL: http://malc0de.com/bl/IP_Blacklist.txt
AlienVault.
URL: https://reputation.alienvault.com/reputation.generic
TorExitNodes
URL: https://check.torproject.org/exit-addresses
Zeus
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Open Blocklist base 1 day
URL: http://www.openbl.org/lists/base_1days.txt
MalwareBytes Domains
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Malware Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
ISC SANS Suspicious Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Open Phish URLs.
URL: https://openphish.com/feed.txt
Phish Tank URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Bambenek IPs
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Talos Intel IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf

System12 · ‎04-12-2017

Hi Derek,

Are you able to add your own STIX/TAXII feed to it, in addition to the ones you listed?

derekarnold · ‎04-14-2017

System12, given an accessible URL, it's just a matter of adding a function for a new threat feed in the code. Do you have something particular in mind you can share?

jwalzerpitt · ‎06-23-2017

Derek,

One last question - is there any way you could modify the app to correlate against src_ip as well?

Thx

jwalzerpitt · ‎06-23-2017

Derek,

Just installed the app and CIM add on to create the relevant aliases and it's great. Thx for taking the time to build this.

Any chance you could look to add the FireHOL IP lists (http://iplists.firehol.org/)?

Thx,
Jeff

Makinde · ‎02-11-2016

Thanks Derek

What are the open threat lists Optiv Threat Intel gets its feeds from?

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3