Alexa Top 1 Million sitesProbable Whitelist of the top 1 Million sites from Amazon(Alexa) is a Minimal and Simple anti-abuse API blacklist lookup tool. It helps users to know immediately if an IP, Domain or Email is blacklisted. It automatically extracts all the information in realtime from multiple sources.APT Groups and OperationsA spreadsheet containing information and intelligence about APT groups, operations and tactics.AutoShunA public service offering at most 2000 malicious IPs and some more resources.BGP RankingRanking of ASNs having the most malicious content.Botnet TrackerTracks several active provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.BruteForceBlockerBruteForceBlocker is a perl script that monitors a server’s sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, C&C TrackerA feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting.CertStreamReal-time certificate transparency log update stream. See SSL certificates as they’re issued in real time.CCSS Forum Malware CertificatesThe following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates.CI Army ListA subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists.Cisco UmbrellaProbable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).Critical Stack IntelThe free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.C1fAppC1fApp is a threat feed aggregation application, providing a single feed, both Open Source and private. Provides statistics dashboard, open API for search and is been running for a few years now. Searches are on historical data.CymonCymon is an aggregator of indicators from multiple sources with history, so you have a single interface to multiple threat feeds. It also provides an API to search a database along with a pretty web interface. Threat Intelligence Tools.Disposable Email DomainsA collection of anonymous or disposable email domains commonly used to spam/abuse services.DNSTrailsFree intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a IP and domain intelligence API available as well.Emerging Threats Firewall RulesA collection of rules for several types of firewalls, including iptables, PF and PIX.Emerging Threats IDS RulesA collection of Snort and Suricata rules files that can be used for alerting or blocking.ExoneraTorThe ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.ExploitalertListing of latest exploits released.ZeuS TrackerThe Feodo Tracker tracks the Feodo trojan.FireHOL IP Lists400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware).FraudGuardFraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic. Threat Intelligence Tools.Grey NoiseGrey Noise is a system that collects and analyzes data on Internet-wide scanners.It collects data on benign scanners such as, as well as malicious actors like SSH and telnet worms.Hail a TAXIIHail a is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. They offer several feeds, including some that are listed here already in a different format, like the Emerging Threats rules and PhishTank feeds.HoneyDBHoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds.Icewater12,805 Free Yara rules created by http://icewater.ioI-BlocklistI-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.Majestic MillionProbable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog.Malc0de DNS SinkholeThe files in this link will be updated daily with domains that have been indentified distributing malware during the past 30 days. Collected by malc0de. Threat Intelligence Tools.MalShare.comThe MalShare Project is a public malware repository that provides researchers free access to samples.Malware Domain ListA searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.MalwareDomains.comThe DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).Metadefender.comMetadefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by Metadefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.MinotaurThe Minotaur Project is an ongoing research project by the team at NovCon Solutions ( It is being built as a hub for security professionals, researchers and enthusiasts to discover new threats and discuss mitigations. It is a combination of 3rd-party opensource software, local datasets, new analysis tools, and more.Netlab OpenData ProjectThe Netlab OpenData project was presented to the public first at ISC’ 2016 on August 16, 2016. We currently provide multiple data feeds, including DGA, EK, MalCon, Mirai C2, Mirai-Scanner, Hajime-Scanner and DRDoS Reflector.NoThink!SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni’s Honeypots. Threat Intelligence Tools.NormShield ServicesNormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring.OpenPhish FeedsOpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available.PhishTankPhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It’s a free service, but registering for an API key is sometimes necessary.Ransomware TrackerThe Ransomware Tracker by tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites.Rutgers Blacklisted IPsIP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at and blocklist.deSANS ICS Suspicious DomainsThe Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either high, medium or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains.
Finally, there is a suggested IP blocklist from DShield.signature-baseA database of signatures used in other tools by Neo23x0.The Spamhaus projectThe Spamhaus Project contains multiple threatlists associated with spam and malware activity.SSL BlacklistSSL Blacklist (SSLBL) is a project maintained by The goal is to provide a list of “bad” SSL certificates identified by to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklistsStatvoo Top 1 Million SitesProbable Whitelist of the top 1 million web sites, as ranked by Statvoo.Threat Intelligence Tools.Strongarm, by Percipient NetworksStrongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient’s IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use.Talos AspisProject Aspis is a closed collaboration between Talos and hosting providers to identify and deter major threat actors. Talos shares its expertise, resources, and capabilities including network and system forensics, reverse engineering, and threat intelligence at no cost to the provider.Technical Blogs and Reports, by ThreatConnectThis source is being populated with the content from over 90 open source, security blogs. IOCs (Indicators of Compromise) are parsed out of each blog and the content of the blog is formatted in markdown.ThreatglassAn online tool for sharing, browsing and analyzing web-based malware. Threatglass allows users to graphically browse website infections by viewing screenshots of the stages of infection, as well as by analyzing network characteristics such as host relationships and packet captures.ThreatMinerThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn’t just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at.WSTNPHX Malware Email AddressesEmail addresses used by malware collected by VVestron Phoronix (WSTNPHX) is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only.Yara-RulesAn open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible.ZeuS TrackerThe ZeuS Tracker by tracks ZeuS Command & Control servers (hosts) around the world and provides you a domain- and a IP-blocklist.

Posted by Charlie