Top-100 Malicious IP STIX Feed

Published: 2017-11-17
Last Updated: 2017-11-17 07:56:20 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)

$ curl https://isc.sans.edu/api/topips/records/100
<?xml version="1.0" encoding="UTF-8"?>
<topips>
<ipaddress>
<rank>1</rank>
<source>046.101.124.074</source>
<reports>132723</reports>
<targets>110</targets>
</ipaddress><ipaddress>
<rank>2</rank>
<source>130.211.015.150</source>
<reports>21166</reports>
<targets>4474</targets>
</ipaddress><ipaddress>
...
</ipaddress>

You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?

Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:

<stix:STIX_Package
  xmlns:stix="http://stix.mitre.org/stix-1" 
  xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" 
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" 
  xmlns:cybox="http://cybox.mitre.org/cybox-2" 
  xmlns:indicator="http://stix.mitre.org/Indicator-2" 
  xmlns:xs="http://www.w3.org/2001/XMLSchema" 
  xmlns:stixCommon="http://stix.mitre.org/common-1" 
  xmlns:example="http://example.com" 
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2" 
  xmlns:xlink="http://www.w3.org/1999/xlink" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> 
  <stix:STIX_Header/>
    <stix:Indicators>
      <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'>
        <indicator:Title>SANS ISC Malicious IP</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266">
          <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
              <AddressObj:Address_Value>46.101.124.74</AddressObj:Address_Value>
            </cybox:Properties>
          </cybox:Object>
       </indicator:Observable>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>

The script is available in my GitHub repository[4].

If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements. 

[1] https://stixproject.github.io/
[2] https://isc.sans.edu/api/
[3] https://github.com/STIXProject/python-stix
[4] https://github.com/xme/toolbox/blob/master/isc2stix.py
[5] https://misp.truesec.be/isc-top-100-stix.xml

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: API IOC IP sharing STIX
5 comment(s)
ISC Stormcast For Friday, November 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5760

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives