IOC feeds

the_rock

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

the_rock

Apologies, forgot to add 2 files I also used. This gives good example of what CSV file would look like.

CaseyB

Thank you for sharing! I have been looking for more of these to add to our current roster.

the_rock

Very welcome, happy to help. Unlike Ed Sheeran's song "Perfect", this is far from it, but its something lol

Best,

Andy

the_rock

I will keep updating as I find more

Andy

Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed

the_rock

I know this is Fortinet, but it has 107 entries

Andy

Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed

the_rock

Microsoft, 269 entries, pretty good

Andy

https://www.microsoft.com/en-ca/security/business/siem-and-xdr/microsoft-defender-threat-intelligenc...

the_rock

The BEST I found so far, almost 4000 entries.

Andy

https://www.cisco.com/c/en/us/products/security/ngips/index.html

the_rock

Most UPDATED I have so far. But, will keep adding whatever else I find.

Andy

[Expert@azurefw:0]# ioc_feeds show
Feed Name: cisco
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisco.com/c/en/us/products/security/ngips/index.html
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: cortex
Feed is Active
File will be fetched via HTTPS
Resource: https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: microsoft
Feed is Active
File will be fetched via HTTPS
Resource: https://www.microsoft.com/en-ca/security/business/siem-and-xdr/microsoft-defender-threat-intelligenc...
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

Total number of feeds: 26
Active feeds: 26
[Expert@azurefw:0]#

the_rock

Forgot to mention the most important one...duh : - )

Andy

secureupdates.checkpoint.com/IP-list/TOR.txt

delToro1

Hello mates, I usually use the following open source project:

https://github.com/stamparm/ipsum

It sumarice malicious IP between different lists. It create lists based on the ocurrence of the IP and categorice en levels.

I have configured this IOC in my lab and it's working fine. The level 3 list has over 17K malicious IPs. From R81.20, the way of using network feeds in the access control policy, for me it is more granular.

testing network feedPolicy access rulebaseblock event Network feedUpdate Event Network feed

Best regards! 😉

the_rock

Wow, nice one! Let me test it in the lab later and report back.

Andy

the_rock

Just installed policy, so let me give it some time to see if there any hits. Though its just a lab, but it is in Azure, so Im sure it will get some traffic : - )

Andy

the_rock

Btw, I see the same link but level 2 has almost 35K IP addresses, that is fantastic, thanks for sharing!

Andy

delToro1

No problem ;). I detect that lvl 1 has some false positives, IP addresses from onedrive or sharepoint service that are legit. For me, the lvl 3 is OK, because the IP must appear at least in 3 lists.

@the_rock , of course, thanks for sharing a lot of materials and resources for IOC. 🙂

the_rock

well thank you!!

Andy

CaseyB

The IPsum (lvl3) seems to be the most effective so far. We've dropped over 750 connections since I added it this morning. No one internally has tried to reach out though, so that's good.

The Emerging Threats one also has had a good amount of hits.

the_rock

Agree, same here!

the_rock

I see that when using network feeds, you dont technically need to have av or ab blades enabled, so thats definitely a plus right there and works beautifully.

Andy

Are you a member of CheckMates?

IOC feeds