Top-100 Malicious IP STIX Feed
Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.
The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)
$ curl https://isc.sans.edu/api/topips/records/100 <?xml version="1.0" encoding="UTF-8"?> <topips> <ipaddress> <rank>1</rank> <source>046.101.124.074</source> <reports>132723</reports> <targets>110</targets> </ipaddress><ipaddress> <rank>2</rank> <source>130.211.015.150</source> <reports>21166</reports> <targets>4474</targets> </ipaddress><ipaddress> ... </ipaddress>
You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?
Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:
<stix:STIX_Package xmlns:stix="http://stix.mitre.org/stix-1" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:example="http://example.com" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:xlink="http://www.w3.org/1999/xlink" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> <stix:STIX_Header/> <stix:Indicators> <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'> <indicator:Title>SANS ISC Malicious IP</indicator:Title> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type> <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266"> <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470"> <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr"> <AddressObj:Address_Value>46.101.124.74</AddressObj:Address_Value> </cybox:Properties> </cybox:Object> </indicator:Observable> </stix:Indicator> </stix:Indicators> </stix:STIX_Package>
The script is available in my GitHub repository[4].
If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements.
[1] https://stixproject.github.io/
[2] https://isc.sans.edu/api/
[3] https://github.com/STIXProject/python-stix
[4] https://github.com/xme/toolbox/blob/master/isc2stix.py
[5] https://misp.truesec.be/isc-top-100-stix.xml
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago