├── .gitignore ├── tox.ini ├── README.md ├── prototypes ├── minemeld.yml ├── vxvault.yml ├── malwaredomainlist.yml ├── binarydefense.yml ├── openphish.yml ├── virustotal.yml ├── badips.yml ├── alienvault.yml ├── virbl.yml ├── urlhaus.yml ├── fastly.yml ├── greensnow.yml ├── autofocus.yml ├── cif.yml ├── anomali.yml ├── blocklist_net_ua.yml ├── tor.yml ├── themediatrust.yml ├── google.yml ├── ciscoise.yml ├── surbl.yml ├── bruteforceblocker.yml ├── malc0de.yml ├── blutmagie.yml ├── stix2.yml ├── phishme.yml ├── cloudflare.yml ├── threatconnect.yml ├── proofpoint.yml ├── ETOpen.yml ├── dshield.yml ├── nothink.yml ├── zeustracker.yml ├── dhs.yml ├── cofense.yml ├── itcertpa.yml ├── threatq.yml ├── sslabusech.yml ├── usom.yml ├── recordedfuture.yml ├── spamhaus.yml ├── azure.yml ├── feodotracker.yml ├── aws.yml ├── openbl.yml ├── libraesva.yml ├── auscert.yml ├── office365-dod.yml ├── office365-usdefense.yml ├── blocklist_de.yml ├── hailataxii.yml ├── bambenekconsulting.yml ├── office365.yml ├── ransomwaretracker.yml └── o365-api.yml ├── .travis.yml └── tests └── test_prototypes.py /.gitignore: -------------------------------------------------------------------------------- 1 | .tox 2 | *.pyc 3 | 4 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | envlist = py27 3 | skipsdist = True 4 | 5 | [testenv:py27] 6 | basedeps = nose 7 | six 8 | deps = {[testenv:py27]basedeps} 9 | commands = pip install PyYAML 10 | nosetests -s {posargs} 11 | 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # minemeld-node-prototypes 2 | 3 | Prototypes for minemeld nodes 4 | 5 | ## Getting Started 6 | The best place for getting started with MineMeld Open Source project is the [Wiki](https://github.com/PaloAltoNetworks/minemeld/wiki) 7 | 8 | **version:** 0.9.70 9 | 10 | -------------------------------------------------------------------------------- /prototypes/minemeld.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | Library of nodes to work with multiple MineMeld instances 3 | url: https://github.com/PaloAltoNetworks/minemeld/wiki 4 | 5 | prototypes: 6 | JSONSEQFeed: 7 | author: MineMeld Core Team 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: [ any ] 11 | tags: [] 12 | description: Miner to connect to MineMeld feeds 13 | class: minemeld.ft.mm.JSONSEQMiner 14 | config: 15 | # insert the URL of the MineMeld feed here 16 | url: null 17 | interval: 3600 18 | age_out: 19 | default: null 20 | sudden_death: true 21 | interval: 86400 22 | -------------------------------------------------------------------------------- /prototypes/vxvault.yml: -------------------------------------------------------------------------------- 1 | url: http://vxvault.net 2 | description: Threat feed from S!Ri.URZ 3 | 4 | prototypes: 5 | URLBL: 6 | author: Pansaen Boonyakarn 7 | development_status: EXPERIMENTAL 8 | node_type: miner 9 | indicator_types: 10 | - URL 11 | tags: 12 | - OSINT 13 | - ConfidenceHigh 14 | - ShareLevelGreen 15 | description: URL blacklist provided by VXVault 16 | config: 17 | source_name: vxvault.URLBL 18 | attributes: 19 | type: URL 20 | confidence: 70 21 | share_level: green 22 | ignore_regex: ^(?!http).*$ 23 | url: http://vxvault.net/URL_List.php 24 | interval: 86400 25 | age_out: 26 | default: null 27 | sudden_death: true 28 | class: minemeld.ft.http.HttpFT 29 | -------------------------------------------------------------------------------- /prototypes/malwaredomainlist.yml: -------------------------------------------------------------------------------- 1 | description: Malware Domain List is a non-commercial community project. 2 | url: https://www.malwaredomainlist.com/ 3 | 4 | prototypes: 5 | ip: 6 | author: MineMeld Core Team 7 | development_status: STABLE 8 | node_type: miner 9 | indicator_types: 10 | - IPv4 11 | tags: 12 | - OSINT 13 | - ShareLevelGreen 14 | - ConfidenceHigh 15 | description: list of active ip addresses 16 | config: 17 | source_name: malwaredomainlist.ip 18 | attributes: 19 | type: IPv4 20 | direction: outbound 21 | share_level: green 22 | confidence: 50 23 | url: http://www.malwaredomainlist.com/hostslist/ip.txt 24 | class: minemeld.ft.http.HttpFT 25 | -------------------------------------------------------------------------------- /prototypes/binarydefense.yml: -------------------------------------------------------------------------------- 1 | author: abodart 2 | url: https://www.binarydefense.com/ 3 | description: > 4 | Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed 5 | 6 | prototypes: 7 | banlist: 8 | author: Axel Bodart (ulg.ac.be) 9 | development_status: STABLE 10 | node_type: miner 11 | indicator_types: 12 | - IPv4 13 | tags: 14 | - OSINT 15 | - ConfidenceMedium 16 | - ShareLevelGreen 17 | description: The full banlist 18 | config: 19 | source_name: binarydefense.banlist 20 | attributes: 21 | type: IPv4 22 | direction: inbound 23 | confidence: 50 24 | share_level: green 25 | ignore_regex: '^#.*' 26 | url: https://www.binarydefense.com/banlist.txt 27 | class: minemeld.ft.http.HttpFT 28 | -------------------------------------------------------------------------------- /prototypes/openphish.yml: -------------------------------------------------------------------------------- 1 | url: https://openphish.com/ 2 | description: > 3 | OpenPhish launched in June 2014 as a result of a three-year research on 4 | phishing detection 5 | 6 | prototypes: 7 | feed: 8 | author: MineMeld Core Team 9 | development_status: EXPERIMENTAL 10 | node_type: miner 11 | indicator_types: 12 | - URL 13 | tags: 14 | - OSINT 15 | - ShareLevelGreen 16 | - ConfidenceMedium 17 | description: The free feed 18 | config: 19 | source_name: openphish.feed 20 | attributes: 21 | type: URL 22 | confidence: 50 23 | share_level: green 24 | url: https://openphish.com/feed.txt 25 | interval: 307 26 | age_out: 27 | default: 30d 28 | sudden_death: true 29 | interval: 131 30 | class: minemeld.ft.http.HttpFT 31 | -------------------------------------------------------------------------------- /prototypes/virustotal.yml: -------------------------------------------------------------------------------- 1 | url: https://www.virustotal.com 2 | description: > 3 | VirusTotal is a free service that analyzes suspicious files 4 | and URLs and facilitates the quick detection of viruses, worms, 5 | trojans, and all kinds of malware. 6 | 7 | prototypes: 8 | notifications: 9 | author: MineMeld Core Team 10 | development_status: EXPERIMENTAL 11 | node_type: miner 12 | indicator_types: 13 | - md5 14 | - sha256 15 | - sha1 16 | tags: 17 | - ConfidenceHigh 18 | - ShareLevelRed 19 | description: > 20 | Miner for VirusTotal Intelligence Notifications feed. 21 | config: 22 | attributes: 23 | confidence: 100 24 | share_level: red 25 | age_out: 26 | default: 365d 27 | sudden_death: false 28 | interval: 7200 29 | class: minemeld.ft.vt.Notifications 30 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | 3 | before_install: 4 | - pip install tox 5 | 6 | install: true 7 | 8 | script: 9 | - tox 10 | - if [ -n "$TRAVIS_TAG" ]; then export BUILD_VERSION="$TRAVIS_TAG"; fi 11 | - if [ -z "$TRAVIS_TAG" ]; then export BUILD_VERSION="$TRAVIS_BUILD_NUMBER"; fi 12 | - mkdir $BUILD_VERSION 13 | - mkdir dist 14 | - cp prototypes/* $BUILD_VERSION 15 | - tar -cvzf dist/minemeld-prototypes-$BUILD_VERSION.tar.gz $BUILD_VERSION 16 | 17 | deploy: 18 | provider: s3 19 | access_key_id: "$S3_ACCESS_KEY" 20 | secret_access_key: "$S3_SECRET_ACCESS_KEY" 21 | bucket: "minemeld" 22 | skip_cleanup: true 23 | local_dir: dist 24 | acl: public_read 25 | on: 26 | tags: true 27 | 28 | after_deploy: 29 | - "export MD5SUM=$(md5sum dist/minemeld-prototypes-$BUILD_VERSION.tar.gz | awk '{ print $1 }')" 30 | - "export SHA256SUM=$(sha256sum dist/minemeld-prototypes-$BUILD_VERSION.tar.gz | awk '{ print $1 }')" 31 | - "echo $MD5SUM" 32 | - "echo $SHA256SUM" 33 | -------------------------------------------------------------------------------- /prototypes/badips.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | badips.com is a community based IP blacklist service. 3 | You can report malicious IPs and you can download 4 | blacklists or query our API to find out if a IP is listed. 5 | url: https://www.badips.com 6 | 7 | prototypes: 8 | blocklist_any_3_2weeks: 9 | author: CERT (uc3m.es) 10 | development_status: STABLE 11 | node_type: miner 12 | indicator_types: 13 | - IPv4 14 | tags: 15 | - OSINT 16 | - ConfidenceMedium 17 | - ShareLevelGreen 18 | description: > 19 | blocklist with IPs of last 2 weeks any category and score > 3 20 | class: minemeld.ft.http.HttpFT 21 | config: 22 | source_name: badips.any_3 23 | url: https://www.badips.com/get/list/any/3?age=2w 24 | user_agent: MineMeld 25 | attributes: 26 | type: IPv4 27 | direction: inbound 28 | share_level: green 29 | confidence: 50 30 | -------------------------------------------------------------------------------- /prototypes/alienvault.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | Open Source AlienVault Reputation Data. 3 | url: http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/download-ip-reputation-database/ 4 | 5 | prototypes: 6 | reputation: 7 | author: MineMeld Core Team 8 | development_status: STABLE 9 | node_type: miner 10 | indicator_types: [ IPv4 ] 11 | tags: 12 | - OSINT 13 | - ShareLevelGreen 14 | description: this just catches everything 15 | class: minemeld.ft.csv.CSVFT 16 | config: 17 | url: http://reputation.alienvault.com/reputation.data 18 | fieldnames: 19 | - indicator 20 | - alienvault_reliability 21 | - alienvault_risk 22 | - alienvault_type 23 | delimiter: '#' 24 | attributes: 25 | type: IPv4 26 | confidence: 80 27 | share_level: green 28 | source_name: alienvault.reputation 29 | interval: 3600 30 | -------------------------------------------------------------------------------- /prototypes/virbl.yml: -------------------------------------------------------------------------------- 1 | url: http://virbl.org/ 2 | description: > 3 | Virbl is a project of which the idea was born during the RIPE-48 meeting. 4 | The plan was to get reports of virusscanning mailservers, and put the 5 | IP-addresses that were reported to send viruses on a blacklist. 6 | 7 | prototypes: 8 | bl: 9 | author: MineMeld Core Team 10 | development_status: DEPRECATED 11 | node_type: miner 12 | indicator_types: 13 | - IPv4 14 | tags: 15 | - ConfidenceHigh 16 | - OSINT 17 | - ShareLevelGreen 18 | - Deprecated 19 | class: minemeld.ft.http.HttpFT 20 | description: virbl IP blocklist 21 | config: 22 | source_name: virbl.bl 23 | attributes: 24 | application: smtp 25 | direction: inbound 26 | type: IPv4 27 | confidence: 80 28 | share_level: green 29 | ignore_regex: '^Export' 30 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 31 | -------------------------------------------------------------------------------- /prototypes/urlhaus.yml: -------------------------------------------------------------------------------- 1 | url: https://urlhaus.abuse.ch/ 2 | description: > 3 | URLhaus is a project operated by abuse.ch. The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats. 4 | 5 | prototypes: 6 | URL: 7 | author: Pansaen Boonyakarn 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: 11 | - URL 12 | tags: 13 | - OSINT 14 | - ConfidenceHigh 15 | - ShareLevelGreen 16 | description: A dump of all malware URLs known to URLhaus 17 | config: 18 | source_name: urlhaus.URL 19 | attributes: 20 | type: URL 21 | confidence: 100 22 | share_level: green 23 | ignore_regex: '^#' 24 | url: https://urlhaus.abuse.ch/downloads/text/ 25 | interval: 300 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | class: minemeld.ft.http.HttpFT 30 | -------------------------------------------------------------------------------- /prototypes/fastly.yml: -------------------------------------------------------------------------------- 1 | url: https://www.fastly.com/ 2 | description: > 3 | Fastly’s edge cloud platform enhances web and mobile delivery by accelerating dynamic assets and caching 4 | unpredictably changing content. His CDN transform and serve images faster from the edge, reducing origin traffic 5 | and saving on infrastructure and egress costs. 6 | 7 | prototypes: 8 | ipv4: 9 | author: MineMeld Core Team 10 | development_status: STABLE 11 | node_type: miner 12 | class: minemeld.ft.json.SimpleJSON 13 | config: 14 | age_out: 15 | default: null 16 | interval: 257 17 | sudden_death: true 18 | attributes: 19 | confidence: 100 20 | share_level: green 21 | type: IPv4 22 | extractor: addresses[].{ip_prefix:@} 23 | indicator: ip_prefix 24 | source_name: fastly 25 | url: https://api.fastly.com/public-ip-list 26 | description: all Fastly ranges 27 | indicator_types: 28 | - IPv4 29 | tags: 30 | - ConfidenceHigh 31 | - ShareLevelGreen 32 | -------------------------------------------------------------------------------- /prototypes/greensnow.yml: -------------------------------------------------------------------------------- 1 | url: https://greensnow.co/ 2 | description: > 3 | GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. 4 | 5 | prototypes: 6 | IP: 7 | author: Pansaen Boonyakarn 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: 11 | - IPv4 12 | tags: 13 | - OSINT 14 | - ConfidenceHigh 15 | - ShareLevelGreen 16 | description: Attacks bruteforce that are monitored are Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel. 17 | config: 18 | source_name: GreenSnow.IP 19 | attributes: 20 | type: IPv4 21 | direction: inbound 22 | confidence: 70 23 | share_level: green 24 | url: http://blocklist.greensnow.co/greensnow.txt 25 | interval: 300 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | class: minemeld.ft.http.HttpFT 30 | -------------------------------------------------------------------------------- /prototypes/autofocus.yml: -------------------------------------------------------------------------------- 1 | url: https://autofocus.paloaltonetworks.com/ 2 | description: > 3 | AutoFocus re-imagines threat intelligence, allowing you to 4 | protect your organization from unique and targeted threats 5 | in a simpler, more effective way. AutoFocus prioritizes the 6 | most critical threats targeting your network, adds context, 7 | and enables you to take decisive action. 8 | 9 | prototypes: 10 | exportList: 11 | author: MineMeld Core Team 12 | development_status: STABLE 13 | node_type: miner 14 | indicator_types: 15 | - IPv4 16 | - URL 17 | - domain 18 | tags: 19 | - ConfidenceMedium 20 | - ShareLevelRed 21 | description: > 22 | Miner for Autofocus Export List. You need a valid Autofocus API Key 23 | to use this Miner. Type of indicators: IPv4, URL, domain. 24 | config: 25 | attributes: 26 | confidence: 70 27 | share_level: red 28 | age_out: 29 | default: null 30 | sudden_death: true 31 | interval: 677 32 | class: minemeld.ft.autofocus.ExportList 33 | -------------------------------------------------------------------------------- /prototypes/cif.yml: -------------------------------------------------------------------------------- 1 | url: http://csirtgadgets.org/collective-intelligence-framework/ 2 | description: > 3 | CIF allows you to combine known malicious threat information 4 | from many sources and use that information for identification 5 | (incident response), detection (IDS) and mitigation (null route). 6 | The most common types of threat intelligence warehoused in CIF 7 | are IP addresses, domains and urls that are observed to be 8 | related to malicious activity. 9 | 10 | prototypes: 11 | Feed: 12 | author: MineMeld Core Team 13 | development_status: EXPERIMENTAL 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | - IPv6 18 | - domain 19 | - URL 20 | tags: 21 | - ShareLevelGreen 22 | - ConfidenceHigh 23 | - ConfidenceMedium 24 | - ConfidenceLow 25 | description: > 26 | Miner for CIF API. Based on CIF SDK 27 | https://github.com/csirtgadgets/cif-sdk-py 28 | class: minemeld.ft.cif.Feed 29 | config: 30 | age_out: 31 | default: last_seen+30d 32 | sudden_death: false 33 | interval: 3307 34 | attributes: 35 | share_level: green 36 | -------------------------------------------------------------------------------- /prototypes/anomali.yml: -------------------------------------------------------------------------------- 1 | url: https://www.anomali.com/ 2 | description: > 3 | Anomali delivers earlier detection and identification of adversaries 4 | in your organizations network by making it possible to correlate 5 | tens of millions of threat indicators against your real time network 6 | activity logs and up to a year or more of forensic log data. 7 | Anomali’s approach enables detection at every point along the kill 8 | chain, making it possible to mitigate threats before material damage 9 | to your organization has occurred. 10 | 11 | prototypes: 12 | opticAPI: 13 | author: MineMeld Core Team 14 | development_status: EXPERIMENTAL 15 | node_type: miner 16 | indicator_types: [ domain, URL, IPv4, IPv6 ] 17 | tags: 18 | - ConfidenceHigh 19 | - ConfidenceLow 20 | - ConfidenceMedium 21 | - ShareLevelRed 22 | description: > 23 | Miner for Anomali Optic API. You need a valid Optic API Key 24 | to use this Miner. 25 | class: minemeld.ft.anomali.Intelligence 26 | config: 27 | age_out: 28 | default: 90d 29 | sudden_death: true 30 | interval: 3307 31 | attributes: 32 | share_level: red 33 | confidence: 30 34 | -------------------------------------------------------------------------------- /prototypes/blocklist_net_ua.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | The BlockList project was created to become protection against negative 3 | influence of the harmful and potentially dangerous events 4 | on the Internet. First of all this service will help 5 | internet and hosting providers to protect subscribers sites 6 | from being hacked. BlockList will help to stop receiving a 7 | large amount of spam from dubious SMTP relays or from 8 | attempts of brute force passwords to servers and network 9 | equipment. 10 | url: https://blocklist.net.ua 11 | 12 | prototypes: 13 | ipset: 14 | author: MineMeld Core Team 15 | development_status: EXPERIMENTAL 16 | node_type: miner 17 | indicator_types: 18 | - IPv4 19 | - IPv6 20 | tags: 21 | - ConfidenceLow 22 | - ShareLevelGreen 23 | description: > 24 | Active IPs of brute forcers and spammers 25 | class: minemeld.ft.csv.CSVFT 26 | config: 27 | url: https://blocklist.net.ua/blocklist.csv 28 | fieldnames: 29 | - indicator 30 | - blocklist_net_ua_ban_date 31 | - blocklist_net_ua_unban_date 32 | - blocklist_net_ua_reason 33 | delimiter: ';' 34 | ignore_regex: '^IP.*' 35 | -------------------------------------------------------------------------------- /prototypes/tor.yml: -------------------------------------------------------------------------------- 1 | url: https://www.torproject.org/ 2 | description: > 3 | Tor is free software and an open network that helps you defend 4 | against traffic analysis, a form of network surveillance that 5 | threatens personal freedom and privacy, confidential business 6 | activities and relationships, and state security. 7 | 8 | prototypes: 9 | exit_addresses: 10 | author: MineMeld Core Team 11 | development_status: STABLE 12 | node_type: miner 13 | indicator_types: 14 | - IPv4 15 | tags: 16 | - ConfidenceHigh 17 | - ShareLevelGreen 18 | description: Tor Exit addresses 19 | class: minemeld.ft.http.HttpFT 20 | config: 21 | source_name: tor.exit_addresses 22 | interval: 3307 23 | url: https://check.torproject.org/exit-addresses 24 | age_out: 25 | default: null 26 | sudden_death: true 27 | interval: 631 28 | ignore_regex: "^LastStatus|^ExitNode|^Published" 29 | indicator: 30 | regex: '^ExitAddress\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s.*' 31 | transform: '\1' 32 | attributes: 33 | type: IPv4 34 | confidence: 100 35 | share_level: green 36 | direction: inbound 37 | -------------------------------------------------------------------------------- /prototypes/themediatrust.yml: -------------------------------------------------------------------------------- 1 | url: https://www.themediatrust.com/digital-threat-intelligence.php 2 | description: > 3 | Digital Threat Intelligence (DTI) from The Media Trust provides real-time, 4 | actionable intelligence that is 100% derived from The Media Trust's 5 | continuous, 24/7 monitoring of websites, mobile apps and digital 6 | advertising across a variety of online and mobile browser/OS, device, 7 | geography and user profile combinations. DTI delivers real-time qualitative 8 | and quantitative information on actual malware attacking the most 9 | heavily-trafficked websites visited by employees and everyday consumers. 10 | 11 | prototypes: 12 | DTIAPI: 13 | author: MineMeld Core Team 14 | development_status: EXPERIMENTAL 15 | node_type: miner 16 | indicator_types: 17 | - domain 18 | - IPv4 19 | tags: 20 | - ShareLevelRed 21 | - ConfidenceMedium 22 | description: > 23 | Miner for The Media Trust DTI API. You need a valid TMT DTI API 24 | Key to use this Miner. 25 | class: minemeld.ft.tmt.DTIAPI 26 | config: 27 | age_out: 28 | default: last_seen+30d 29 | sudden_death: false 30 | interval: 3307 31 | attributes: 32 | share_level: red 33 | confidence: 70 34 | -------------------------------------------------------------------------------- /prototypes/google.yml: -------------------------------------------------------------------------------- 1 | url: 'https://www.google.com' 2 | description: > 3 | Miners for retrieving google net blocks for different services 4 | 5 | prototypes: 6 | netBlocks: 7 | author: MineMeld Core Team 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: 11 | - IPv4 12 | - IPv6 13 | tags: 14 | - ShareLevelGreen 15 | - ConfidenceHigh 16 | description: > 17 | Net blocks of Google services 18 | class: minemeld.ft.google.GoogleNetBlocks 19 | config: 20 | age_out: 21 | default: null 22 | sudden_death: true 23 | interval: 257 24 | attributes: 25 | share_level: green 26 | GCENetBlocks: 27 | author: MineMeld Core Team 28 | development_status: EXPERIMENTAL 29 | node_type: miner 30 | indicator_types: 31 | - IPv4 32 | - IPv6 33 | tags: 34 | - ShareLevelGreen 35 | - ConfidenceHigh 36 | description: > 37 | Net blocks of GCE 38 | class: minemeld.ft.google.GoogleCloudNetBlocks 39 | config: 40 | age_out: 41 | default: null 42 | sudden_death: true 43 | interval: 257 44 | attributes: 45 | share_level: green 46 | -------------------------------------------------------------------------------- /prototypes/ciscoise.yml: -------------------------------------------------------------------------------- 1 | url: http://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html 2 | description: > 3 | Cisco Identity Services Engine (ISE) allows you to see and control 4 | users and devices connecting to the corporate network. 5 | 6 | prototypes: 7 | ers_sgt: 8 | author: MineMeld Core Team 9 | development_status: DEPRECATED 10 | node_type: miner 11 | indicator_types: 12 | - IPv4 13 | - IPv6 14 | tags: 15 | - ConfidenceHigh 16 | - ShareLevelRed 17 | description: > 18 | IP to SGT (Security Group Tag) mappings from ISE using ERS (External 19 | RESTful Services) API. 20 | class: minemeld.ft.ciscoise.ErsSgt 21 | config: 22 | username: ers-operator 23 | verify_cert: false 24 | interval: 300 25 | attributes: 26 | confidence: 100 27 | share_level: red 28 | age_out: 29 | default: null 30 | sudden_death: true 31 | interval: null 32 | 33 | sgt_dag: 34 | author: MineMeld Core Team 35 | development_status: DEPRECATED 36 | node_type: output 37 | indicator_types: 38 | - IPv4 39 | - IPv6 40 | tags: [] 41 | description: > 42 | Push IP to SGT mappings to PAN-OS devices via DAG. 43 | class: minemeld.ft.dag.DagPusher 44 | config: 45 | persistent_registered_ips: false 46 | tag_attributes: 47 | - ise_sgt 48 | -------------------------------------------------------------------------------- /prototypes/surbl.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | SURBLs are lists of web sites that have appeared in unsolicited messages. 3 | Unlike most lists, SURBLs are not lists of message senders. 4 | url: http://www.surbl.org/ 5 | 6 | prototypes: 7 | ThreeLevelTLDS: 8 | author: MineMeld Core Team 9 | class: minemeld.ft.http.HttpFT 10 | config: 11 | attributes: 12 | confidence: 100 13 | share_level: green 14 | type: domain 15 | source_name: surbl.tlds.three_level 16 | url: http://www.surbl.org/static/three-level-tlds 17 | description: SURBLs are lists of web sites that have appeared in unsolicited 18 | messages. Unlike most lists, SURBLs are not lists of message senders 19 | development_status: EXPERIMENTAL 20 | indicator_types: 21 | - domain 22 | node_type: miner 23 | tags: 24 | - SURBL 25 | Two_Level_TLDS: 26 | author: MineMeld Core Team 27 | class: minemeld.ft.http.HttpFT 28 | config: 29 | attributes: 30 | confidence: 100 31 | share_level: green 32 | type: domain 33 | source_name: surbl.tlds.two_level 34 | url: http://www.surbl.org/static/two-level-tlds 35 | description: SURBLs are lists of web sites that have appeared in unsolicited 36 | messages. Unlike most lists, SURBLs are not lists of message senders 37 | development_status: EXPERIMENTAL 38 | indicator_types: 39 | - domain 40 | node_type: miner 41 | tags: 42 | - SURBL 43 | -------------------------------------------------------------------------------- /prototypes/bruteforceblocker.yml: -------------------------------------------------------------------------------- 1 | url: http://danger.rulez.sk/index.php/bruteforceblocker/ 2 | description: > 3 | BruteForceBlocker is a perl script, that works along with 4 | pf – firewall developed by OpenBSD team (Which is also 5 | available on FreeBSD since version 5.2 is out). Since the 6 | version of BruteForceBlocker 1.2 it is also possible to report 7 | blocked IPs to the project site and share your information with 8 | other users. 9 | 10 | prototypes: 11 | blist: 12 | author: MineMeld Core Team 13 | development_status: STABLE 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | tags: 18 | - OSINT 19 | - ConfidenceMedium 20 | - ShareLevelGreen 21 | class: minemeld.ft.http.HttpFT 22 | description: IP blocklist 23 | config: 24 | url: http://danger.rulez.sk/projects/bruteforceblocker/blist.php 25 | source_name: bruteforceblocker.blist 26 | indicator: 27 | regex: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' 28 | ignore_regex: '^#.*' 29 | attributes: 30 | type: IPv4 31 | direction: inbound 32 | share_level: green 33 | confidence: 50 34 | fields: 35 | bruteforceblocker_count: 36 | regex: '^[0-9\.]+\s+[^\t]+\s+([0-9]+)' 37 | transform: '\1' 38 | bruteforceblocker_last_reported: 39 | regex: '^[0-9\.]+\s+#\s+([^\t]+)' 40 | transform: '\1' 41 | -------------------------------------------------------------------------------- /prototypes/malc0de.yml: -------------------------------------------------------------------------------- 1 | url: http://malc0de.com/bl/ 2 | description: > 3 | IP blacklist from malc0de DNS Sinkhole 4 | 5 | prototypes: 6 | IP: 7 | author: Pansaen Boonyakarn 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: 11 | - IPv4 12 | tags: 13 | - OSINT 14 | - ConfidenceHigh 15 | - ShareLevelGreen 16 | description: The files below will be updated daily with domains that have been indentified distributing malware during the past 30 days. 17 | config: 18 | source_name: malc0de.IP 19 | attributes: 20 | type: IPv4 21 | direction: inbound 22 | confidence: 70 23 | share_level: green 24 | ignore_regex: '[//S].*' 25 | url: http://malc0de.com/bl/IP_Blacklist.txt 26 | interval: 300 27 | age_out: 28 | default: null 29 | sudden_death: true 30 | class: minemeld.ft.http.HttpFT 31 | DOMAINS: 32 | author: Pansaen Boonyakarn 33 | development_status: EXPERIMENTAL 34 | node_type: miner 35 | indicator_types: 36 | - domain 37 | tags: 38 | - OSINT 39 | - ConfidenceHigh 40 | - ShareLevelGreen 41 | description: This file will be automatically updated daily and populated with the last 30 days of malicious domains. 42 | config: 43 | source_name: malc0de.DOMAINS 44 | attributes: 45 | type: domain 46 | confidence: 70 47 | share_level: green 48 | ignore_regex: '[//S].*' 49 | indicator: 50 | regex: '(?<=PRIMARY\s).*(?= blockeddomain\.hosts)' 51 | url: http://malc0de.com/bl/BOOT 52 | interval: 300 53 | age_out: 54 | default: null 55 | sudden_death: true 56 | class: minemeld.ft.http.HttpFT 57 | -------------------------------------------------------------------------------- /tests/test_prototypes.py: -------------------------------------------------------------------------------- 1 | import os 2 | import logging 3 | 4 | import yaml 5 | 6 | 7 | LOG = logging.getLogger(__name__) 8 | 9 | 10 | def _check_library(l): 11 | LOG.debug('checking library %s', l) 12 | 13 | with open(l, 'r') as f: 14 | library = yaml.safe_load(f) 15 | 16 | assert 'description' in library, "No description field in %s" % l 17 | assert 'url' in library, "No url field in %s" % l 18 | assert 'prototypes' in library, "No prototypes field in %s" % l 19 | 20 | for p, prototype in library['prototypes'].iteritems(): 21 | LOG.debug('checking prototype %s', p) 22 | assert 'development_status' in prototype, "No developement_status field in %s::%s" % (l, p) 23 | assert 'author' in prototype, "No author field in %s::%s" % (l, p) 24 | assert 'description' in prototype, "No description field in %s::%s" % (l, p) 25 | assert 'class' in prototype, "No class field in %s::%s" % (l, p) 26 | assert 'config' in prototype, "No config field in %s::%s" % (l, p) 27 | assert 'node_type' in prototype, "No node_type field in %s::%s" % (l, p) 28 | assert 'tags' in prototype, "No tags field in %s::%s" % (l, p) 29 | assert isinstance(prototype['tags'], list), "Wrong type for attribute tags in %s::%s" % (l, p) 30 | assert 'indicator_types' in prototype, "No indicator_types field in %s::%s" % (l, p) 31 | assert isinstance(prototype['indicator_types'], list), "Wrong type for attribute indicator_types in %s::%s" % (l, p) 32 | assert len(prototype['indicator_types']), "0 indicator_types in %s::%s" % (l, p) 33 | 34 | def test_prototypes(): 35 | libraries = [os.path.join('prototypes', x) for x in os.listdir('prototypes')] 36 | 37 | for l in libraries: 38 | yield _check_library, l 39 | -------------------------------------------------------------------------------- /prototypes/blutmagie.yml: -------------------------------------------------------------------------------- 1 | url: https://torstatus.blutmagie.de/ 2 | description: > 3 | Blutmagie has ceased operations. 4 | Blutmagie monitors the status of the Tor Network 5 | 6 | prototypes: 7 | tor_exit_nodes: 8 | author: MineMeld Core Team 9 | development_status: DEPRECATED 10 | node_type: miner 11 | indicator_types: 12 | - IPv4 13 | tags: 14 | - ConfidenceHigh 15 | - ShareLevelGreen 16 | description: DEPRECATED. Tor Exit nodes 17 | class: minemeld.ft.http.HttpFT 18 | config: 19 | source_name: blutmagie.tor_exit_nodes 20 | interval: 3600 21 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 22 | age_out: 23 | default: null 24 | sudden_death: true 25 | interval: 1800 26 | attributes: 27 | type: IPv4 28 | confidence: 100 29 | share_level: green 30 | tor_nodes: 31 | author: MineMeld Core Team 32 | development_status: DEPRECATED 33 | node_type: miner 34 | indicator_types: 35 | - IPv4 36 | tags: 37 | - ConfidenceHigh 38 | - ShareLevelGreen 39 | description: DEPRECATED. Tor nodes 40 | class: minemeld.ft.http.HttpFT 41 | config: 42 | source_name: blutmagie.tor_nodes 43 | interval: 3600 44 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 45 | age_out: 46 | default: null 47 | sudden_death: true 48 | interval: 1800 49 | attributes: 50 | type: IPv4 51 | confidence: 100 52 | share_level: green 53 | -------------------------------------------------------------------------------- /prototypes/stix2.yml: -------------------------------------------------------------------------------- 1 | url: https://unit42.paloaltonetworks.com/ 2 | description: > 3 | Miners for STIX 2.0 and 2.1 feeds, including Unit 42 Playbooks 4 | 5 | prototypes: 6 | generic: 7 | author: Unit 42 8 | development_status: EXPERIMENTAL 9 | node_type: miner 10 | indicator_types: 11 | - md5 12 | - sha256 13 | - sha1 14 | - IPv4 15 | - IPv6 16 | - domain 17 | - URL 18 | tags: 19 | - STIX2 20 | class: minemeld.ft.taxii2.Taxii2Client 21 | description: STIX2 22 | config: 23 | source_name: stix2.indicators 24 | auth_type: none 25 | api_key: "" 26 | username: "" 27 | password: "" 28 | discovery_service: "" 29 | api_root: "" 30 | collection: "" 31 | verify_cert: yes 32 | enabled: no 33 | attributes: 34 | share_level: green 35 | age_out: 36 | sudden_death: false 37 | default: last_seen+30d 38 | playbooks: 39 | author: Unit 42 40 | development_status: EXPERIMENTAL 41 | node_type: miner 42 | indicator_types: 43 | - md5 44 | - sha256 45 | - sha1 46 | - IPv4 47 | - IPv6 48 | - domain 49 | - URL 50 | tags: 51 | - STIX2 52 | class: minemeld.ft.taxii2.Taxii2Client 53 | description: Unit 42 - Indicators from Playbooks 54 | config: 55 | source_name: unit42.playbooks 56 | auth_type: apikey 57 | api_key: "" 58 | username: "" 59 | password: "" 60 | discovery_service: https://stix2.unit42.org/taxii/ 61 | api_root: playbooks 62 | collection: 5ac266d8-de48-3d6b-83f1-c4e4047d6e44 63 | verify_cert: yes 64 | enabled: no 65 | attributes: 66 | share_level: green 67 | age_out: 68 | sudden_death: false 69 | default: last_seen+30d -------------------------------------------------------------------------------- /prototypes/phishme.yml: -------------------------------------------------------------------------------- 1 | url: https://cofense.com 2 | description: > 3 | Cofense is the leading provider of human-focused phishing defense solutions 4 | for organizations concerned about their susceptibility to today’s top 5 | attack vector — spear phishing. Cofense’s intelligence-driven platform 6 | transforms your response team, security applications, and employees into 7 | a synchronized layer of defense by enabling them to identify and prevent 8 | spear phishing threats. 9 | 10 | prototypes: 11 | Intelligence: 12 | author: MineMeld Core Team 13 | development_status: DEPRECATED 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | - domain 18 | - URL 19 | tags: 20 | - ShareLevelRed 21 | - ConfidenceLow 22 | - ConfidenceMedium 23 | - ConfidenceHigh 24 | description: > 25 | Depreacted. Use cofense.Intelligence instead. 26 | Cofense Intelligence provides accurate and timely alerts so that 27 | you can be ready to take fast action when under attack. Cofense 28 | Analysts and Researchers work to analyze and verify phishing 29 | threats delivering ransomware, key loggers, RATs, and other types 30 | of crimeware. This high-fidelity data is delivered in multiple 31 | forms to effectively prepare and respond to attacks. 32 | You need a valid Cofense API key to access this feed. 33 | class: minemeld.ft.phishme.Intelligence 34 | config: 35 | age_out: 36 | default: last_seen+30d 37 | sudden_death: false 38 | attributes: 39 | confidence: 10 40 | share_level: red 41 | initial_interval: 30d 42 | -------------------------------------------------------------------------------- /prototypes/cloudflare.yml: -------------------------------------------------------------------------------- 1 | url: https://www.cloudflare.com 2 | description: > 3 | Cloudflare provides a Content Delivery Network that was designed and built to integrate emerging technologies to 4 | ensure his customers receive the most advanced protocols on the web. They have built a global network designed 5 | to optimize security, performance and reliability, without the bloat of legacy technologies. 6 | 7 | prototypes: 8 | ipv4: 9 | author: MineMeld Core Team 10 | development_status: STABLE 11 | node_type: miner 12 | class: minemeld.ft.http.HttpFT 13 | config: 14 | age_out: 15 | default: null 16 | interval: 257 17 | sudden_death: true 18 | attributes: 19 | confidence: 100 20 | share_level: green 21 | type: IPv4 22 | source_name: cloudflare 23 | url: https://www.cloudflare.com/ips-v4 24 | description: CloudFlare IPv4 ranges 25 | indicator_types: 26 | - IPv4 27 | tags: 28 | - ConfidenceHigh 29 | - ShareLevelGreen 30 | 31 | ipv6: 32 | author: MineMeld Core Team 33 | development_status: STABLE 34 | node_type: miner 35 | class: minemeld.ft.http.HttpFT 36 | config: 37 | age_out: 38 | default: null 39 | interval: 257 40 | sudden_death: true 41 | attributes: 42 | confidence: 100 43 | share_level: green 44 | type: IPv6 45 | source_name: cloudflare 46 | url: https://www.cloudflare.com/ips-v6 47 | description: CloudFlare IPv6 ranges 48 | indicator_types: 49 | - IPv6 50 | tags: 51 | - ConfidenceHigh 52 | - ShareLevelGreen 53 | -------------------------------------------------------------------------------- /prototypes/threatconnect.yml: -------------------------------------------------------------------------------- 1 | url: https://threatconnect.com/ 2 | description: > 3 | ThreatConnect provides Threat Intelligence, Analytics, and Orchestration in One Platform 4 | 5 | prototypes: 6 | Indicators: 7 | author: Palo Alto Networks TBD 8 | class: minemeld.ft.threatconnect.IndicatorsMiner 9 | development_status: EXPERIMENTAL 10 | node_type: miner 11 | indicator_types: 12 | - any 13 | tags: 14 | - extension 15 | - threatconnect 16 | description: > 17 | Prototype for threatconnect.IndicatorsMiner. 18 | config: 19 | owner: null 20 | initial_interval: 60 21 | sandbox: false 22 | interval: 3600 23 | # age out of indicators 24 | age_out: 25 | sudden_death: false 26 | interval: 3600 27 | default: last_seen+60d 28 | # flag indicators with share level green 29 | attributes: 30 | share_level: green 31 | Groups: 32 | author: Palo Alto Networks TBD 33 | class: minemeld.ft.threatconnect.GroupsMiner 34 | development_status: EXPERIMENTAL 35 | node_type: miner 36 | indicator_types: 37 | - any 38 | tags: 39 | - extension 40 | - threatconnect 41 | description: > 42 | Example prototype for threatconnect GroupsMiner. Not valid for cloning. Groups must be defined in a new prototype. 43 | config: 44 | owner: null 45 | groups: 46 | incidents: 47 | - 48 | - 49 | campaigns: 50 | adversaries: 51 | documents: 52 | emails: 53 | signatures: 54 | threats: 55 | sandbox: false 56 | interval: 3600 57 | # age out of indicators 58 | age_out: 59 | sudden_death: true 60 | interval: 3600 61 | default: null 62 | # flag indicators with share level green 63 | attributes: 64 | share_level: green -------------------------------------------------------------------------------- /prototypes/proofpoint.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | Proofpoint ET Intelligence Actionable threat intelligence with 3 | global context, to identify the source and type of malicious activity 4 | on hundreds of thousands of malicious IP addresses and domains. 5 | Updated hourly. 6 | url: https://www.proofpoint.com/us/threat-intelligence-overview 7 | 8 | prototypes: 9 | EmergingThreatsIPs: 10 | author: MineMeld Core Team 11 | development_status: STABLE 12 | node_type: miner 13 | indicator_types: 14 | - IPv4 15 | - IPv6 16 | tags: 17 | - ConfidenceMedium 18 | - ShareLevelRed 19 | description: > 20 | Detailed feed of IPs classified in different categories. 21 | You need a valid authorization code from Proofpoint ET 22 | to access this feed. 23 | class: minemeld.ft.proofpoint.EmergingThreatsIP 24 | config: 25 | interval: 1861 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | interval: 919 30 | attributes: 31 | share_level: red 32 | confidence: 70 33 | 34 | EmergingThreatsDomains: 35 | author: MineMeld Core Team 36 | development_status: STABLE 37 | node_type: miner 38 | indicator_types: 39 | - domain 40 | tags: 41 | - ConfidenceHigh 42 | - ShareLevelRed 43 | description: > 44 | Detailed feed of domains classified in different categories. 45 | You need a valid authorization code from Proofpoint ET 46 | to access this feed. 47 | class: minemeld.ft.proofpoint.EmergingThreatsDomain 48 | config: 49 | interval: 1861 50 | age_out: 51 | default: null 52 | sudden_death: true 53 | interval: 919 54 | attributes: 55 | share_level: red 56 | confidence: 80 57 | -------------------------------------------------------------------------------- /prototypes/ETOpen.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | Emerging Threats Open rulesets 3 | url: http://doc.emergingthreats.net 4 | 5 | prototypes: 6 | compromisedIPs: 7 | author: Víctor Barahona (uam.es) 8 | development_status: STABLE 9 | node_type: miner 10 | indicator_types: 11 | - IPv4 12 | tags: 13 | - ConfidenceMedium 14 | - ShareLevelGreen 15 | - OSINT 16 | description: > 17 | This ruleset is compiled from a number of sources. It's contents 18 | are hosts that are known to be compromised by bots, phishing sites, 19 | etc, or known to be spewing hostile traffic. These are not your 20 | everyday infected and sending a bit of spam hosts, these are 21 | significantly infected and hostile hosts. 22 | config: 23 | source_name: ET.compromised_ips 24 | url: https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt 25 | attributes: 26 | type: IPv4 27 | direction: inbound 28 | share_level: green 29 | confidence: 50 30 | class: minemeld.ft.http.HttpFT 31 | blockIPs: 32 | author: Gregory Roehl (paloaltonetworks.com) 33 | development_status: STABLE 34 | node_type: miner 35 | indicator_types: 36 | - IPv4 37 | tags: 38 | - ConfidenceMedium 39 | - ShareLevelGreen 40 | - OSINT 41 | description: > 42 | Raw IPs for the firewall block lists. These come from 43 | Spam nets identified by Spamhaus (www.spamhaus.org), Top 44 | Attackers listed by DShield (www.dshield.org), Abuse.ch. 45 | config: 46 | source_name: ET.block_ips 47 | attributes: 48 | type: IPv4 49 | share_level: green 50 | confidence: 50 51 | url: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt 52 | ignore_regex: ^# 53 | class: minemeld.ft.http.HttpFT 54 | 55 | -------------------------------------------------------------------------------- /prototypes/dshield.yml: -------------------------------------------------------------------------------- 1 | url: https://www.dshield.org/xml.html 2 | description: > 3 | The ISC uses the DShield distributed intrusion detection system for 4 | data collection and analysis. DShield collects data about malicious 5 | activity from across the Internet. This data is cataloged and summarized 6 | and can be used to discover trends in activity, confirm widespread 7 | attacks, or assist in preparing better firewall rules. 8 | 9 | prototypes: 10 | block: 11 | author: MineMeld Core Team 12 | development_status: STABLE 13 | node_type: miner 14 | indicator_types: 15 | - IPv4 16 | tags: 17 | - OSINT 18 | - ShareLevelGreen 19 | - ConfidenceHigh 20 | description: suggested block list 21 | class: minemeld.ft.http.HttpFT 22 | config: 23 | source_name: dshield.block 24 | interval: 619 25 | url: https://www.dshield.org/block.txt 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | interval: 257 30 | ignore_regex: "[#S].*" 31 | indicator: 32 | regex: '^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\t([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' 33 | transform: '\1-\2' 34 | attributes: 35 | type: IPv4 36 | confidence: 100 37 | share_level: green 38 | direction: inbound 39 | fields: 40 | dshield_nattacks: 41 | regex: '^.*\t.*\t[0-9]+\t([0-9]+)' 42 | transform: '\1' 43 | dshield_name: 44 | regex: '^.*\t.*\t[0-9]+\t[0-9]+\t([^\t]+)' 45 | transform: '\1' 46 | dshield_country: 47 | regex: '^.*\t.*\t[0-9]+\t[0-9]+\t[^\t]+\t([A-Z]+)' 48 | transform: '\1' 49 | dshield_email: 50 | regex: '^.*\t.*\t[0-9]+\t[0-9]+\t[^\t]+\t[A-Z]+\t(\S+)' 51 | transform: '\1' 52 | -------------------------------------------------------------------------------- /prototypes/nothink.yml: -------------------------------------------------------------------------------- 1 | url: http://www.nothink.org/ 2 | description: SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni Honeypots 3 | 4 | prototypes: 5 | SNMP_IPBL: 6 | author: Pansaen Boonyakarn 7 | development_status: EXPERIMENTAL 8 | node_type: miner 9 | indicator_types: 10 | - IPv4 11 | tags: 12 | - OSINT 13 | - ConfidenceHigh 14 | - ShareLevelGreen 15 | description: SNMP blacklist provided by nothink.org 16 | config: 17 | source_name: NoThink.SNMP_IPBL 18 | attributes: 19 | type: IPv4 20 | direction: inbound 21 | confidence: 70 22 | share_level: green 23 | ignore_regex: '^#' 24 | url: http://www.nothink.org/blacklist/blacklist_snmp_day.txt 25 | interval: 86400 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | class: minemeld.ft.http.HttpFT 30 | SSH_IPBL: 31 | author: Pansaen Boonyakarn 32 | development_status: EXPERIMENTAL 33 | node_type: miner 34 | indicator_types: 35 | - IPv4 36 | tags: 37 | - OSINT 38 | - ConfidenceHigh 39 | - ShareLevelGreen 40 | description: SSH blacklist provided by nothink.org 41 | config: 42 | source_name: NoThink.SSH_IPBL 43 | attributes: 44 | type: IPv4 45 | direction: inbound 46 | confidence: 70 47 | share_level: green 48 | ignore_regex: '^#' 49 | url: http://www.nothink.org/blacklist/blacklist_ssh_day.txt 50 | interval: 86400 51 | age_out: 52 | default: null 53 | sudden_death: true 54 | class: minemeld.ft.http.HttpFT 55 | Telnet_IPBL: 56 | author: Pansaen Boonyakarn 57 | development_status: EXPERIMENTAL 58 | node_type: miner 59 | indicator_types: 60 | - IPv4 61 | tags: 62 | - OSINT 63 | - ConfidenceHigh 64 | - ShareLevelGreen 65 | description: Telnet blacklist provided by nothink.org 66 | config: 67 | source_name: NoThink.Telnet_IPBl 68 | attributes: 69 | type: IPv4 70 | direction: inbound 71 | confidence: 70 72 | share_level: green 73 | ignore_regex: '^#' 74 | url: http://www.nothink.org/blacklist/blacklist_telnet_day.txt 75 | interval: 86400 76 | age_out: 77 | default: null 78 | sudden_death: true 79 | class: minemeld.ft.http.HttpFT 80 | -------------------------------------------------------------------------------- /prototypes/zeustracker.yml: -------------------------------------------------------------------------------- 1 | url: https://zeustracker.abuse.ch/ 2 | description: > 3 | Zeus Tracker has ceased operations on Jul 8th 2019. 4 | ZeuS Tracker tracks ZeuS Command&Control servers (hosts) around the world and 5 | provides you a domain- and a IP-blocklist 6 | 7 | prototypes: 8 | baddomains: 9 | author: MineMeld Core Team 10 | development_status: DEPRECATED 11 | description: > 12 | DEPRECATED. 13 | If you want to block domain names used by the ZeuS trojan, you 14 | should use this list. The ZeuS domain blocklist is 15 | the recommended blocklist if you want to block only ZeuS domain names. 16 | It excludes domain names that ZeuS Tracker believes to be hijacked 17 | (level 2). Hence the false positive rate should be much lower compared 18 | to the standard ZeuS domain blocklist. 19 | node_type: miner 20 | indicator_types: 21 | - domain 22 | tags: 23 | - OSINT 24 | - ConfidenceHigh 25 | - ShareLevelGreen 26 | config: 27 | source_name: zeustracker.baddomains 28 | attributes: 29 | type: domain 30 | confidence: 100 31 | share_level: green 32 | ignore_regex: '^#' 33 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 34 | interval: 1800 35 | class: minemeld.ft.http.HttpFT 36 | badips: 37 | author: MineMeld Core Team 38 | development_status: DEPRECATED 39 | description: > 40 | DEPRECATED. 41 | This blocklists only includes IPv4 addresses that are used by the ZeuS 42 | trojan. It is the recommened blocklist if you want to block only ZeuS IPs. 43 | It excludes IP addresses that ZeuS Tracker believes to be hijacked 44 | (level 2) or belong to a free web hosting provider (level 3). Hence the 45 | false postive rate should be much lower compared to the standard ZeuS IP 46 | blocklist (see below). 47 | node_type: miner 48 | indicator_types: 49 | - IPv4 50 | tags: 51 | - OSINT 52 | - ConfidenceHigh 53 | - ShareLevelGreen 54 | - DirectionOutbound 55 | config: 56 | source_name: zeustracker.badips 57 | attributes: 58 | type: IPv4 59 | direction: outbound 60 | confidence: 100 61 | share_level: green 62 | ignore_regex: '#' 63 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 64 | interval: 1800 65 | class: minemeld.ft.http.HttpFT 66 | -------------------------------------------------------------------------------- /prototypes/dhs.yml: -------------------------------------------------------------------------------- 1 | url: https://taxii.dhs.gov/ 2 | description: > 3 | DHS Information sharing is essential to the protection of critical infrastructure 4 | and to furthering cybersecurity for the nation. Each Threat Intellegence feeds are 5 | shared in the STIX format. 6 | 7 | prototypes: 8 | AIS: 9 | author: Unit 42 10 | development_status: EXPERIMENTAL 11 | description: > 12 | AIS is a part of DHS's effort to create an ecosystem 13 | where as soon as a company or federal agency observes an attempted 14 | compromise, the indicator will be shared in real time with all of our partners, 15 | protecting them from that particular threat. 16 | node_type: miner 17 | indicator_types: 18 | - any 19 | tags: 20 | - AIS 21 | - DHS 22 | class: minemeld.ft.taxii.TaxiiClient 23 | config: 24 | source_name: dhs.AIS 25 | collection: AIS 26 | prefix: AIS 27 | subscription_id_required: true 28 | discovery_service: https://taxii.dhs.gov:8443/flare/taxii11/discovery 29 | client_cert_required: true 30 | client_credentials_required: false 31 | lower_timestamp_precision: true 32 | attributes: 33 | confidence: 30 34 | share_level: red 35 | age_out: 36 | default: last_seen+30d 37 | sudden_death: false 38 | 39 | CISCP: 40 | author: Unit 42 41 | development_status: EXPERIMENTAL 42 | description: > 43 | The DHS’s National Cybersecurity and Communications Integration Center (NCCIC) 44 | serves as the hub of information sharing activities for the Department to increase 45 | awareness of vulnerabilities, incidents, and mitigations. 46 | node_type: miner 47 | indicator_types: 48 | - any 49 | tags: 50 | - CISCP 51 | - DHS 52 | class: minemeld.ft.taxii.TaxiiClient 53 | config: 54 | source_name: dhs.CISCP 55 | collection: CISCP 56 | prefix: CISCP 57 | subscription_id_required: true 58 | discovery_service: https://taxii.dhs.gov:8443/flare/taxii11/discovery 59 | client_cert_required: true 60 | client_credentials_required: false 61 | lower_timestamp_precision: true 62 | attributes: 63 | confidence: 30 64 | share_level: red 65 | age_out: 66 | default: last_seen+30d 67 | sudden_death: false 68 | -------------------------------------------------------------------------------- /prototypes/cofense.yml: -------------------------------------------------------------------------------- 1 | url: https://cofense.com 2 | description: > 3 | Cofense is the leading provider of human-focused phishing defense solutions 4 | for organizations concerned about their susceptibility to today’s top 5 | attack vector — spear phishing. Cofense’s intelligence-driven platform 6 | transforms your response team, security applications, and employees into 7 | a synchronized layer of defense by enabling them to identify and prevent 8 | spear phishing threats. 9 | 10 | prototypes: 11 | Intelligence: 12 | author: MineMeld Core Team 13 | development_status: STABLE 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | - domain 18 | - URL 19 | tags: 20 | - ShareLevelRed 21 | - ConfidenceLow 22 | - ConfidenceMedium 23 | - ConfidenceHigh 24 | description: > 25 | Cofense Intelligence provides accurate and timely alerts so that 26 | you can be ready to take fast action when under attack. Cofense 27 | Analysts and Researchers work to analyze and verify phishing 28 | threats delivering ransomware, key loggers, RATs, and other types 29 | of crimeware. This high-fidelity data is delivered in multiple 30 | forms to effectively prepare and respond to attacks. 31 | You need a valid Cofense API key to access this feed. 32 | class: minemeld.ft.phishme.Intelligence 33 | config: 34 | age_out: 35 | default: last_seen+30d 36 | sudden_death: false 37 | attributes: 38 | confidence: 10 39 | share_level: red 40 | initial_interval: 30d 41 | Triage: 42 | author: MineMeld Core Team 43 | development_status: STABLE 44 | node_type: miner 45 | indicator_types: 46 | - any 47 | tags: 48 | - ShareLevelRed 49 | - ConfidenceLow 50 | - ConfidenceMedium 51 | - ConfidenceHigh 52 | description: > 53 | Cofense TriageTM accelerates phishing qualification, investigation, 54 | and response by cutting through the noise automatically and surfacing 55 | the real threats faster, protecting your organization from the risk 56 | of compromise. 57 | class: minemeld.ft.cofense.Triage 58 | config: 59 | age_out: 60 | default: last_seen+30d 61 | sudden_death: false 62 | attributes: 63 | confidence: 10 64 | share_level: red 65 | initial_interval: 30d 66 | -------------------------------------------------------------------------------- /prototypes/itcertpa.yml: -------------------------------------------------------------------------------- 1 | url: https://infosec.cert-pa.it/ 2 | description: > 3 | Infosec feeds from italian CERT-PA, Computer Emergency Response Team - Public Administration 4 | Implemented prototypes: 5 | - itcertpa.IP: IP addresses (/32) 6 | - itcertpa.DOMAINS: domains 7 | - itcertpa.URLS: URLs 8 | 9 | prototypes: 10 | IP: 11 | author: Giovanni Mellini 12 | development_status: STABLE 13 | node_type: miner 14 | indicator_types: 15 | - IPv4 16 | tags: 17 | - ConfidenceHigh 18 | - ShareLevelGreen 19 | description: Italian CERT-PA Infosec IP hosts indicators 20 | config: 21 | source_name: itcertpa.IP 22 | attributes: 23 | type: IPv4 24 | direction: inbound 25 | confidence: 80 26 | share_level: green 27 | ignore_regex: '^#.*' 28 | indicator: 29 | regex: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' 30 | url: https://infosec.cert-pa.it/analyze/listip.txt 31 | age_out: 32 | default: null 33 | sudden_death: true 34 | interval: 600 35 | class: minemeld.ft.http.HttpFT 36 | 37 | DOMAINS: 38 | author: Giovanni Mellini 39 | development_status: STABLE 40 | node_type: miner 41 | indicator_types: 42 | - domain 43 | tags: 44 | - ConfidenceHigh 45 | - ShareLevelGreen 46 | description: Italian CERT-PA Infosec DOMAINS indicators 47 | config: 48 | source_name: itcertpa.DOMAINS 49 | attributes: 50 | type: domain 51 | direction: inbound 52 | confidence: 80 53 | share_level: green 54 | ignore_regex: '^#.*' 55 | indicator: 56 | regex: '^.*' 57 | url: https://infosec.cert-pa.it/analyze/listdomains.txt 58 | age_out: 59 | default: null 60 | sudden_death: true 61 | interval: 600 62 | class: minemeld.ft.http.HttpFT 63 | 64 | URLS: 65 | author: Giovanni Mellini 66 | development_status: STABLE 67 | node_type: miner 68 | indicator_types: 69 | - URL 70 | tags: 71 | - ConfidenceHigh 72 | - ShareLevelGreen 73 | description: Italian CERT-PA Infosec URLS indicators 74 | config: 75 | source_name: itcertpa.URLS 76 | attributes: 77 | type: URL 78 | direction: inbound 79 | confidence: 80 80 | share_level: green 81 | ignore_regex: '^#.*' 82 | indicator: 83 | regex: '^http.*' 84 | url: https://infosec.cert-pa.it/analyze/listurls.txt 85 | age_out: 86 | default: null 87 | sudden_death: true 88 | interval: 600 89 | class: minemeld.ft.http.HttpFT 90 | -------------------------------------------------------------------------------- /prototypes/threatq.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | ThreatQ - The only Threat Intelligence Platform (TIP) that 3 | centrally manages and correlates external sources with internal 4 | security and analytics solutions for contextual intelligence in a 5 | single pane of glass. 6 | url: https://www.threatq.com 7 | 8 | prototypes: 9 | exportHC: 10 | author: MineMeld Core Team 11 | development_status: EXPERIMENTAL 12 | node_type: miner 13 | indicator_types: 14 | - IPv4 15 | - IPv6 16 | - domain 17 | - URL 18 | tags: 19 | - ShareLevelAmber 20 | - ConfidenceHigh 21 | description: > 22 | Miner for Threatq Export API. This prototype sets confidence 23 | of produced indicators to 100 (High Confidence). 24 | You need an installation of ThreatQ to use this Miner. 25 | class: minemeld.ft.threatq.Export 26 | config: 27 | source_name: threatq.export 28 | age_out: 29 | default: null 30 | sudden_death: true 31 | interval: 257 32 | attributes: 33 | share_level: amber 34 | confidence: 100 35 | exportMC: 36 | author: MineMeld Core Team 37 | development_status: EXPERIMENTAL 38 | node_type: miner 39 | indicator_types: 40 | - IPv4 41 | - IPv6 42 | - domain 43 | - URL 44 | tags: 45 | - ShareLevelAmber 46 | - ConfidenceMedium 47 | description: > 48 | Miner for Threatq Export API. This prototype sets confidence 49 | of produced indicators to 70 (Medium Confidence). 50 | You need an installation of ThreatQ to use this Miner. 51 | class: minemeld.ft.threatq.Export 52 | config: 53 | source_name: threatq.export 54 | age_out: 55 | default: null 56 | sudden_death: true 57 | interval: 257 58 | attributes: 59 | share_level: amber 60 | confidence: 70 61 | exportLC: 62 | author: MineMeld Core Team 63 | development_status: EXPERIMENTAL 64 | node_type: miner 65 | indicator_types: 66 | - IPv4 67 | - IPv6 68 | - domain 69 | - URL 70 | tags: 71 | - ShareLevelAmber 72 | - ConfidenceLow 73 | description: > 74 | Miner for Threatq Export API. This prototype sets confidence 75 | of produced indicators to 30 (Low Confidence). 76 | You need an installation of ThreatQ to use this Miner. 77 | class: minemeld.ft.threatq.Export 78 | config: 79 | source_name: threatq.export 80 | age_out: 81 | default: null 82 | sudden_death: true 83 | interval: 257 84 | attributes: 85 | share_level: amber 86 | confidence: 30 87 | -------------------------------------------------------------------------------- /prototypes/sslabusech.yml: -------------------------------------------------------------------------------- 1 | url: https://sslbl.abuse.ch/blacklist/ 2 | description: > 3 | SSLBL offers various types of blacklists that allows you to block bad SSL 4 | traffic related to malware or botnet activities (e.g. botnet C&C traffic). 5 | 6 | prototypes: 7 | ipblacklist: 8 | author: MineMeld Core Team 9 | development_status: STABLE 10 | description: > 11 | The SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has 12 | seen in the past 30 days being associated with a malicious SSL 13 | certificate. 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | tags: 18 | - OSINT 19 | - ConfidenceHigh 20 | - ShareLevelGreen 21 | class: minemeld.ft.csv.CSVFT 22 | config: 23 | url: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv 24 | ignore_regex: '^#' 25 | fieldnames: 26 | - firstseen 27 | - indicator 28 | - port 29 | attributes: 30 | type: IPv4 31 | confidence: 80 32 | share_level: green 33 | source_name: sslblabusech.ipblacklist 34 | aggressiveIPblacklist: 35 | author: MineMeld Core Team 36 | development_status: STABLE 37 | description: > 38 | The SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has 39 | seen in the past being associated with a malicious SSL 40 | certificate. Warning - High FP Rate! 41 | node_type: miner 42 | indicator_types: 43 | - IPv4 44 | tags: 45 | - OSINT 46 | - ConfidenceLow 47 | - ShareLevelGreen 48 | class: minemeld.ft.csv.CSVFT 49 | config: 50 | url: https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv 51 | ignore_regex: '^#' 52 | fieldnames: 53 | - firstseen 54 | - indicator 55 | - port 56 | attributes: 57 | type: IPv4 58 | confidence: 40 59 | share_level: green 60 | source_name: sslblabusech.aggressiveIPblacklist 61 | dyreblacklist: 62 | author: MineMeld Core Team 63 | development_status: DEPRECATED 64 | node_type: miner 65 | indicator_types: 66 | - IPv4 67 | tags: 68 | - OSINT 69 | - ConfidenceHigh 70 | - ShareLevelGreen 71 | description: Dyre SSL blacklist 72 | class: minemeld.ft.csv.CSVFT 73 | config: 74 | url: https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.csv 75 | ignore_regex: '^#' 76 | fieldnames: 77 | - indicator 78 | - port 79 | - sslblabusech_type 80 | attributes: 81 | type: IPv4 82 | confidence: 80 83 | share_level: green 84 | source_name: sslblabusech.dyreblacklist 85 | -------------------------------------------------------------------------------- /prototypes/usom.yml: -------------------------------------------------------------------------------- 1 | url: https://www.usom.gov.tr/ 2 | description: > 3 | Threat intelligence feeds from: TR-CERT - Turkey Computer Emergency Response Team. / 4 | Threat intelligence feeds from: USOM - Türkiye Cumhuriyeti Ulusal Siber Olaylara Müdahale Merkezi. 5 | 6 | prototypes: 7 | IPs: 8 | author: Engin YÜCE 9 | development_status: STABLE 10 | node_type: miner 11 | indicator_types: 12 | - IPv4 13 | tags: 14 | - OSINT 15 | - ConfidenceHigh 16 | - ShareLevelGreen 17 | description: TR-CERT/USOM Infosec IP address indicators. TR-CERT/USOM publishes mixed types of feeds from a single source, this prototype extracts only IP addresses. 18 | config: 19 | source_name: usom.IP 20 | attributes: 21 | type: IPv4 22 | confidence: 80 23 | share_level: green 24 | ignore_regex: '^#.*' 25 | indicator: 26 | regex: '^([^0-9\n]*)((?:[0-9]{1,3}\.){3}[0-9]{1,3})(.*)$' 27 | transform: '\2' 28 | url: https://www.usom.gov.tr/url-list.txt 29 | age_out: 30 | default: null 31 | sudden_death: true 32 | interval: 900 33 | class: minemeld.ft.http.HttpFT 34 | 35 | DOMAINs: 36 | author: Engin YÜCE 37 | development_status: STABLE 38 | node_type: miner 39 | indicator_types: 40 | - domain 41 | tags: 42 | - OSINT 43 | - ConfidenceHigh 44 | - ShareLevelGreen 45 | description: TR-CERT/USOM Infosec DOMAIN name indicators. TR-CERT/USOM publishes mixed types of feeds from a single source, this prototype extracts only DOMAIN names. 46 | config: 47 | source_name: usom.DOMAIN 48 | attributes: 49 | type: domain 50 | confidence: 80 51 | share_level: green 52 | ignore_regex: '^#.*' 53 | indicator: 54 | regex: '^(http[s]?:\/\/)?(?!(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|http)([^:/\n]+)(.*)$' 55 | transform: '\2' 56 | url: https://www.usom.gov.tr/url-list.txt 57 | age_out: 58 | default: null 59 | sudden_death: true 60 | interval: 900 61 | class: minemeld.ft.http.HttpFT 62 | 63 | URLs: 64 | author: Engin YÜCE 65 | development_status: STABLE 66 | node_type: miner 67 | indicator_types: 68 | - URL 69 | tags: 70 | - OSINT 71 | - ConfidenceHigh 72 | - ShareLevelGreen 73 | description: TR-CERT/USOM Infosec URL link indicators. TR-CERT/USOM publishes mixed types of feeds from a single source, this prototype extracts only URL links. 74 | config: 75 | source_name: usom.URL 76 | attributes: 77 | type: URL 78 | confidence: 80 79 | share_level: green 80 | ignore_regex: '^#.*' 81 | indicator: 82 | regex: '^(http[s]?:\/\/)?([^:/\n]+)(:[0-9]{1,5})?(/+)?(.*)$' 83 | transform: '\2/\5' 84 | url: https://www.usom.gov.tr/url-list.txt 85 | age_out: 86 | default: null 87 | sudden_death: true 88 | interval: 900 89 | class: minemeld.ft.http.HttpFT 90 | -------------------------------------------------------------------------------- /prototypes/recordedfuture.yml: -------------------------------------------------------------------------------- 1 | url: https://www.recordedfuture.com/ 2 | description: > 3 | Recorded Future delivers automated, real-time threat intelligence that 4 | enables organizations to defend themselves at the speed and scale of the 5 | Internet. Our service continuously analyzes content from the entire Web 6 | to give you unmatched insight into emerging threats. 7 | 8 | prototypes: 9 | IPRiskList: 10 | author: MineMeld Core Team 11 | development_status: DEPRECATED 12 | node_type: miner 13 | indicator_types: 14 | - IPv4 15 | - IPv6 16 | tags: 17 | - ConfidenceHigh 18 | - ShareLevelRed 19 | description: > 20 | The IPRiskList miner downloads from Recorded Future a list of IP Addresses with known risk. 21 | The risklist includes risk scores and the supporting evidence details. The miner uses recorded future's 22 | default IP risklist to download the data. To access this resource, you need a valid Recorded Future API token. 23 | class: minemeld.ft.recordedfuture.IPRiskList 24 | config: 25 | confidence: 80 26 | age_out: 27 | default: null 28 | sudden_death: true 29 | interval: 3307 30 | attributes: 31 | share_level: red 32 | 33 | DomainRiskList: 34 | author: Jonas Eichinger 35 | development_status: DEPRECATED 36 | node_type: miner 37 | indicator_types: 38 | - domain 39 | tags: 40 | - ConfidenceHigh 41 | - ShareLevelRed 42 | description: > 43 | The DomainRiskList miner downloads from Recorded Future a list of DNS domains with known risk. 44 | The risklist includes risk scores and the supporting evidence details. The miner uses recorded future's 45 | default domain risklist to download the data. To access this resource, you need a valid Recorded Future API token. 46 | class: minemeld.ft.recordedfuture.DomainRiskList 47 | config: 48 | confidence: 80 49 | age_out: 50 | default: null 51 | sudden_death: true 52 | interval: 3307 53 | attributes: 54 | share_level: red 55 | type: domain 56 | 57 | MasterRiskList: 58 | author: Recorded Future Inc. 59 | development_status: STABLE 60 | node_type: miner 61 | indicator_types: 62 | - IPv4 63 | - IPv6 64 | - domain 65 | - hash 66 | - url 67 | tags: 68 | - ConfidenceHigh 69 | - ShareLevelRed 70 | description: > 71 | The MasterRiskList miner downloads from Recorded Future a list of IP Addresses, domains, urls, or file hash 72 | with known risk. The risklist includes risk scores and the supporting evidence details. The miner can be configured 73 | to load a specific risklist; if no risklist is specified, the default risklist is used. The miner can also be 74 | configured to load a custom risklist from a user-specified Recorded Future file path; if no file path is 75 | specified, the default risklist file is used. To access this resource, you need a valid Recorded Future API token. 76 | class: minemeld.ft.recordedfuture.MasterRiskList 77 | config: 78 | confidence: 80 79 | age_out: 80 | default: null 81 | sudden_death: true 82 | interval: 3307 83 | attributes: 84 | share_level: red 85 | -------------------------------------------------------------------------------- /prototypes/spamhaus.yml: -------------------------------------------------------------------------------- 1 | url: https://www.spamhaus.org/ 2 | description: > 3 | The Spamhaus Project is an international nonprofit organization whose 4 | mission is to track the Internet's spam operations and sources, to 5 | provide dependable realtime anti-spam protection for Internet networks, 6 | to work with Law Enforcement Agencies to identify and pursue spam and 7 | malware gangs worldwide, and to lobby governments for effective 8 | anti-spam legislation. 9 | 10 | prototypes: 11 | DROP: 12 | author: MineMeld Core Team 13 | development_status: STABLE 14 | node_type: miner 15 | indicator_types: 16 | - IPv4 17 | tags: 18 | - OSINT 19 | - ConfidenceHigh 20 | - ShareLevelGreen 21 | description: Spamhaus Don't Route Or Peer List (DROP) 22 | config: 23 | source_name: spamhaus.DROP 24 | attributes: 25 | type: IPv4 26 | direction: inbound 27 | confidence: 100 28 | share_level: green 29 | ignore_regex: '^;.*' 30 | indicator: 31 | regex: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}' 32 | url: https://www.spamhaus.org/drop/drop.txt 33 | age_out: 34 | default: null 35 | sudden_death: true 36 | interval: 677 37 | class: minemeld.ft.http.HttpFT 38 | 39 | EDROP: 40 | author: MineMeld Core Team 41 | development_status: STABLE 42 | node_type: miner 43 | indicator_types: 44 | - IPv4 45 | tags: 46 | - OSINT 47 | - ConfidenceHigh 48 | - ShareLevelGreen 49 | description: Spamhaus Extended DROP List (EDROP) 50 | config: 51 | source_name: spamhaus.EDROP 52 | attributes: 53 | type: IPv4 54 | direction: inbound 55 | confidence: 100 56 | share_level: green 57 | ignore_regex: '^;.*' 58 | indicator: 59 | regex: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}' 60 | url: https://www.spamhaus.org/drop/edrop.txt 61 | age_out: 62 | default: null 63 | sudden_death: true 64 | interval: 677 65 | class: minemeld.ft.http.HttpFT 66 | 67 | ASNDROP: 68 | author: MineMeld Core Team 69 | development_status: STABLE 70 | node_type: miner 71 | indicator_types: 72 | - autonomous-system 73 | tags: 74 | - OSINT 75 | - ConfidenceHigh 76 | - ShareLevelGreen 77 | description: Spamhaus ASN-DROP 78 | config: 79 | source_name: spamhaus.ASNDROP 80 | attributes: 81 | type: autonomous-system 82 | confidence: 100 83 | share_level: green 84 | ignore_regex: '^;.*' 85 | indicator: 86 | regex: '^AS[0-9]+' 87 | fields: 88 | asndrop_country: 89 | regex: '^.*;\W([a-zA-Z]+)\W+' 90 | transform: '\1' 91 | asndrop_org: 92 | regex: '^.*\|\W+(.*)' 93 | transform: '\1' 94 | url: https://www.spamhaus.org/drop/asndrop.txt 95 | age_out: 96 | default: null 97 | sudden_death: true 98 | interval: 86400 99 | class: minemeld.ft.http.HttpFT 100 | -------------------------------------------------------------------------------- /prototypes/azure.yml: -------------------------------------------------------------------------------- 1 | url: 'https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519' 2 | description: > 3 | List of Microsoft Azure Public IP addresses. 4 | 5 | prototypes: 6 | cloudIPs: 7 | author: MineMeld Core Team 8 | development_status: DEPRECATED 9 | node_type: miner 10 | indicator_types: 11 | - IPv4 12 | tags: 13 | - ConfidenceHigh 14 | - ShareLevelGreen 15 | description: > 16 | DEPRECATED. Please use azure.cloudIPsWithServiceTags instead. 17 | Public IP addresses of Microsoft Azure 18 | class: minemeld.ft.azure.AzureXML 19 | config: 20 | age_out: 21 | default: null 22 | sudden_death: true 23 | interval: 257 24 | attributes: 25 | share_level: green 26 | cloudIPsWithServiceTags: 27 | author: MineMeld Core Team 28 | development_status: STABLE 29 | node_type: miner 30 | indicator_types: 31 | - IPv4 32 | tags: 33 | - ConfidenceHigh 34 | - ShareLevelGreen 35 | description: > 36 | IP Ranges of Microsoft Azure with Service Tags. 37 | class: minemeld.ft.azure.AzureJSON 38 | config: 39 | age_out: 40 | default: null 41 | sudden_death: true 42 | interval: 600 43 | attributes: 44 | share_level: green 45 | public-cloudIPsWithServiceTags: 46 | author: MineMeld Core Team 47 | development_status: STABLE 48 | node_type: miner 49 | indicator_types: 50 | - IPv4 51 | tags: 52 | - ConfidenceHigh 53 | - ShareLevelGreen 54 | description: > 55 | Microsoft Azure Public Cloud IP Ranges with Service Tags. 56 | Same as cloudIPsWithServiceTags. 57 | class: minemeld.ft.azure.AzureJSON 58 | config: 59 | cloud: public 60 | age_out: 61 | default: null 62 | sudden_death: true 63 | interval: 600 64 | attributes: 65 | share_level: green 66 | usgov-cloudIPsWithServiceTags: 67 | author: MineMeld Core Team 68 | development_status: STABLE 69 | node_type: miner 70 | indicator_types: 71 | - IPv4 72 | tags: 73 | - ConfidenceHigh 74 | - ShareLevelGreen 75 | description: > 76 | Microsoft Azure US Gov Cloud IP Ranges with Service Tags. 77 | class: minemeld.ft.azure.AzureJSON 78 | config: 79 | cloud: usgov 80 | age_out: 81 | default: null 82 | sudden_death: true 83 | interval: 600 84 | attributes: 85 | share_level: green 86 | china-cloudIPsWithServiceTags: 87 | author: MineMeld Core Team 88 | development_status: STABLE 89 | node_type: miner 90 | indicator_types: 91 | - IPv4 92 | tags: 93 | - ConfidenceHigh 94 | - ShareLevelGreen 95 | description: > 96 | Microsoft Azure China Cloud IP Ranges with Service Tags. 97 | class: minemeld.ft.azure.AzureJSON 98 | config: 99 | cloud: china 100 | age_out: 101 | default: null 102 | sudden_death: true 103 | interval: 600 104 | attributes: 105 | share_level: green 106 | germany-cloudIPsWithServiceTags: 107 | author: MineMeld Core Team 108 | development_status: STABLE 109 | node_type: miner 110 | indicator_types: 111 | - IPv4 112 | tags: 113 | - ConfidenceHigh 114 | - ShareLevelGreen 115 | description: > 116 | Microsoft Azure Germany Cloud IP Ranges with Service Tags. 117 | class: minemeld.ft.azure.AzureJSON 118 | config: 119 | cloud: germany 120 | age_out: 121 | default: null 122 | sudden_death: true 123 | interval: 600 124 | attributes: 125 | share_level: green 126 | -------------------------------------------------------------------------------- /prototypes/feodotracker.yml: -------------------------------------------------------------------------------- 1 | url: https://feodotracker.abuse.ch/ 2 | description: > 3 | Feodo Tracker offers various types of blocklists that allows you to block 4 | Feodo botnet C&C traffic. 5 | 6 | prototypes: 7 | domainblocklist: 8 | author: MineMeld Core Team 9 | development_status: DEPRECATED 10 | description: > 11 | This feed was dismissed by the provider 12 | node_type: miner 13 | indicator_types: 14 | - domain 15 | tags: 16 | - ConfidenceHigh 17 | - ShareLevelGreen 18 | - OSINT 19 | config: 20 | source_name: feodotracker.domainblocklist 21 | attributes: 22 | type: domain 23 | confidence: 100 24 | share_level: green 25 | ignore_regex: '^#' 26 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 27 | interval: 1800 28 | class: minemeld.ft.http.HttpFT 29 | baddomains: 30 | author: MineMeld Core Team 31 | development_status: DEPRECATED 32 | description: > 33 | Do not use, use feodotracker.domainblocklist instead. Will be removed in 34 | a future release. 35 | node_type: miner 36 | indicator_types: 37 | - domain 38 | tags: 39 | - ConfidenceHigh 40 | - ShareLevelGreen 41 | - OSINT 42 | config: 43 | source_name: feodotracker.baddomains 44 | attributes: 45 | type: domain 46 | confidence: 100 47 | share_level: green 48 | ignore_regex: '^#' 49 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 50 | interval: 1800 51 | class: minemeld.ft.http.HttpFT 52 | badips: 53 | author: MineMeld Core Team 54 | development_status: STABLE 55 | description: > 56 | From the website: 57 | Dridex and Emotet/Heodo botnet command&control servers (C&Cs) reside on 58 | a compromised server or a server that has been rent and setup by the 59 | botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker 60 | offers a blocklist of IP addresses that are associated with such botnet 61 | C&Cs which can be used to detect and block botnet C2 traffic from infected 62 | machines towards the internet, leaving your network. An IP address will 63 | only get added to the blocklist if it responds with a valid botnet C2 64 | response. However, a botnet C2 may become offline later. The Botnet C2 65 | IP Blocklist is available in different formats documented below. 66 | node_type: miner 67 | indicator_types: 68 | - IPv4 69 | tags: 70 | - ConfidenceHigh 71 | - ShareLevelGreen 72 | - OSINT 73 | config: 74 | source_name: feodotracker.badips 75 | attributes: 76 | type: IPv4 77 | direction: outbound 78 | confidence: 100 79 | share_level: green 80 | ignore_regex: '#' 81 | url: https://feodotracker.abuse.ch/downloads/ipblocklist.txt 82 | interval: 600 83 | class: minemeld.ft.http.HttpFT 84 | ipblocklist: 85 | author: MineMeld Core Team 86 | development_status: STABLE 87 | description: > 88 | From the website: 89 | Dridex and Emotet/Heodo botnet command&control servers (C&Cs) reside on 90 | a compromised server or a server that has been rent and setup by the 91 | botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker 92 | offers a blocklist of IP addresses that are associated with such botnet 93 | C&Cs which can be used to detect and block botnet C2 traffic from infected 94 | machines towards the internet, leaving your network. An IP address will 95 | only get added to the blocklist if it responds with a valid botnet C2 96 | response. However, a botnet C2 may become offline later. The Botnet C2 97 | IP Blocklist is available in different formats documented below. 98 | node_type: miner 99 | indicator_types: 100 | - IPv4 101 | tags: 102 | - ConfidenceMedium 103 | - ShareLevelGreen 104 | - OSINT 105 | config: 106 | source_name: feodotracker.ipblocklist 107 | attributes: 108 | type: IPv4 109 | direction: outbound 110 | confidence: 30 111 | share_level: green 112 | ignore_regex: '#' 113 | url: https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt 114 | interval: 600 115 | class: minemeld.ft.http.HttpFT 116 | hashes: 117 | author: MineMeld Core Team 118 | development_status: STABLE 119 | description: > 120 | From the website: 121 | Feodo Tracker publishes a list of hashes (MD5) associated with Dridex and 122 | Emotet/Heodo malware samples. 123 | node_type: miner 124 | indicator_types: 125 | - md5 126 | tags: 127 | - ConfidenceMedium 128 | - ShareLevelGreen 129 | - OSINT 130 | config: 131 | source_name: feodotracker.hashes 132 | attributes: 133 | type: md5 134 | confidence: 100 135 | share_level: green 136 | ignore_regex: '#' 137 | url: https://feodotracker.abuse.ch/downloads/malware_hashes.txt 138 | interval: 600 139 | class: minemeld.ft.http.HttpFT 140 | -------------------------------------------------------------------------------- /prototypes/aws.yml: -------------------------------------------------------------------------------- 1 | url: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html 2 | description: > 3 | Amazon Web Services (AWS) publishes its current IP address ranges 4 | in JSON format 5 | 6 | prototypes: 7 | AMAZON: 8 | author: MineMeld Core Team 9 | development_status: STABLE 10 | description: all AMAZON ranges 11 | node_type: miner 12 | indicator_types: 13 | - IPv4 14 | tags: 15 | - ConfidenceHigh 16 | - ShareLevelGreen 17 | class: minemeld.ft.json.SimpleJSON 18 | config: 19 | source_name: aws.AMAZON 20 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 21 | extractor: "prefixes[?service=='AMAZON']" 22 | prefix: aws 23 | indicator: ip_prefix 24 | fields: 25 | - region 26 | - service 27 | age_out: 28 | default: null 29 | sudden_death: true 30 | interval: 257 31 | attributes: 32 | type: IPv4 33 | confidence: 100 34 | share_level: green 35 | EC2: 36 | author: MineMeld Core Team 37 | development_status: STABLE 38 | description: EC2 ranges 39 | node_type: miner 40 | indicator_types: 41 | - IPv4 42 | tags: 43 | - ConfidenceHigh 44 | - ShareLevelGreen 45 | class: minemeld.ft.json.SimpleJSON 46 | config: 47 | source_name: aws.EC2 48 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 49 | extractor: "prefixes[?service=='EC2']" 50 | prefix: aws 51 | indicator: ip_prefix 52 | fields: 53 | - region 54 | - service 55 | age_out: 56 | default: null 57 | sudden_death: true 58 | interval: 257 59 | attributes: 60 | type: IPv4 61 | confidence: 100 62 | share_level: green 63 | ROUTE53: 64 | author: MineMeld Core Team 65 | development_status: STABLE 66 | description: ROUTE53 ranges 67 | node_type: miner 68 | indicator_types: 69 | - IPv4 70 | tags: 71 | - ConfidenceHigh 72 | - ShareLevelGreen 73 | class: minemeld.ft.json.SimpleJSON 74 | config: 75 | source_name: aws.ROUTE53 76 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 77 | extractor: "prefixes[?service=='ROUTE53']" 78 | prefix: aws 79 | indicator: ip_prefix 80 | fields: 81 | - region 82 | - service 83 | age_out: 84 | default: null 85 | sudden_death: true 86 | interval: 257 87 | attributes: 88 | type: IPv4 89 | confidence: 100 90 | share_level: green 91 | ROUTE53_HEALTHCHECKS: 92 | author: MineMeld Core Team 93 | development_status: STABLE 94 | description: ROUTE53_HEALTHCHECKS ranges 95 | node_type: miner 96 | indicator_types: 97 | - IPv4 98 | tags: 99 | - ConfidenceHigh 100 | - ShareLevelGreen 101 | class: minemeld.ft.json.SimpleJSON 102 | config: 103 | source_name: aws.ROUTE53_HEALTHCHECKS 104 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 105 | extractor: "prefixes[?service=='ROUTE53_HEALTHCHECKS']" 106 | prefix: aws 107 | indicator: ip_prefix 108 | fields: 109 | - region 110 | - service 111 | age_out: 112 | default: null 113 | sudden_death: true 114 | interval: 257 115 | attributes: 116 | type: IPv4 117 | confidence: 100 118 | share_level: green 119 | CLOUDFRONT: 120 | author: MineMeld Core Team 121 | development_status: STABLE 122 | description: CLOUDFRONT ranges 123 | node_type: miner 124 | indicator_types: 125 | - IPv4 126 | tags: 127 | - ConfidenceHigh 128 | - ShareLevelGreen 129 | class: minemeld.ft.json.SimpleJSON 130 | config: 131 | source_name: aws.CLOUDFRONT 132 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 133 | extractor: "prefixes[?service=='CLOUDFRONT']" 134 | prefix: aws 135 | indicator: ip_prefix 136 | fields: 137 | - region 138 | - service 139 | age_out: 140 | default: null 141 | sudden_death: true 142 | interval: 257 143 | attributes: 144 | type: IPv4 145 | confidence: 100 146 | share_level: green 147 | S3: 148 | author: MineMeld Core Team 149 | development_status: STABLE 150 | description: S3 ranges 151 | node_type: miner 152 | indicator_types: 153 | - IPv4 154 | tags: 155 | - ConfidenceHigh 156 | - ShareLevelGreen 157 | class: minemeld.ft.json.SimpleJSON 158 | config: 159 | source_name: aws.S3 160 | url: https://ip-ranges.amazonaws.com/ip-ranges.json 161 | extractor: "prefixes[?service=='S3']" 162 | prefix: aws 163 | indicator: ip_prefix 164 | fields: 165 | - region 166 | - service 167 | age_out: 168 | default: null 169 | sudden_death: true 170 | interval: 257 171 | attributes: 172 | type: IPv4 173 | confidence: 100 174 | share_level: green 175 | -------------------------------------------------------------------------------- /prototypes/openbl.yml: -------------------------------------------------------------------------------- 1 | url: https://www.openbl.org/ 2 | description: > 3 | The OpenBL.org project (formerly known as the SSH blacklist) is about 4 | detecting, logging and reporting various types of internet abuse. Currently 5 | our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 6 | 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) 7 | for bruteforce login attacks as well as scans on ports 80 (HTTP) and 8 | 443 (HTTPS) for vulnerable installations of phpMyAdmin and other 9 | web applications. 10 | DO NOT USE ! OPENBL has stopped operations, the prototypes are still here for 11 | backwards compatibility 12 | 13 | prototypes: 14 | base: 15 | author: MineMeld Core Team 16 | development_status: DEPRECATED 17 | node_type: miner 18 | indicator_types: 19 | - IPv4 20 | tags: 21 | - OSINT 22 | - ShareLevelGreen 23 | - ConfidenceMedium 24 | - Deprecated 25 | description: The suggested DEFAULT list 26 | config: 27 | source_name: openbl.base 28 | attributes: 29 | type: IPv4 30 | direction: inbound 31 | confidence: 50 32 | share_level: green 33 | ignore_regex: '^#.*' 34 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 35 | class: minemeld.ft.http.HttpFT 36 | base_1days: 37 | author: MineMeld Core Team 38 | development_status: DEPRECATED 39 | node_type: miner 40 | indicator_types: 41 | - IPv4 42 | tags: 43 | - OSINT 44 | - ShareLevelGreen 45 | - ConfidenceMedium 46 | - Deprecated 47 | description: IP list for last 1 days 48 | config: 49 | source_name: openbl.base_1days 50 | attributes: 51 | type: IPv4 52 | direction: inbound 53 | confidence: 50 54 | share_level: green 55 | ignore_regex: '^#.*' 56 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 57 | class: minemeld.ft.http.HttpFT 58 | base_7days: 59 | author: MineMeld Core Team 60 | development_status: DEPRECATED 61 | node_type: miner 62 | indicator_types: 63 | - IPv4 64 | tags: 65 | - OSINT 66 | - ShareLevelGreen 67 | - ConfidenceMedium 68 | - Deprecated 69 | description: IP list for last 7 days 70 | config: 71 | source_name: openbl.base_7days 72 | attributes: 73 | type: IPv4 74 | direction: inbound 75 | confidence: 50 76 | share_level: green 77 | ignore_regex: '^#.*' 78 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 79 | class: minemeld.ft.http.HttpFT 80 | base_30days: 81 | author: MineMeld Core Team 82 | development_status: DEPRECATED 83 | node_type: miner 84 | indicator_types: 85 | - IPv4 86 | tags: 87 | - OSINT 88 | - ShareLevelGreen 89 | - ConfidenceMedium 90 | - Deprecated 91 | description: IP list for last 30 days 92 | config: 93 | source_name: openbl.base_30days 94 | attributes: 95 | type: IPv4 96 | direction: inbound 97 | confidence: 50 98 | share_level: green 99 | ignore_regex: '^#.*' 100 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 101 | class: minemeld.ft.http.HttpFT 102 | base_60days: 103 | author: MineMeld Core Team 104 | development_status: DEPRECATED 105 | node_type: miner 106 | indicator_types: 107 | - IPv4 108 | tags: 109 | - OSINT 110 | - ShareLevelGreen 111 | - ConfidenceMedium 112 | - Deprecated 113 | description: IP list for last 60 days 114 | config: 115 | source_name: openbl.base_60days 116 | attributes: 117 | type: IPv4 118 | direction: inbound 119 | confidence: 50 120 | share_level: green 121 | ignore_regex: '^#.*' 122 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 123 | class: minemeld.ft.http.HttpFT 124 | base_90days: 125 | author: MineMeld Core Team 126 | development_status: DEPRECATED 127 | node_type: miner 128 | indicator_types: 129 | - IPv4 130 | tags: 131 | - OSINT 132 | - ShareLevelGreen 133 | - ConfidenceMedium 134 | - Deprecated 135 | description: openbl.base_90days 136 | config: 137 | source_name: https://www.openbl.org/lists/base_90days.txt 138 | attributes: 139 | type: IPv4 140 | direction: inbound 141 | confidence: 50 142 | share_level: green 143 | ignore_regex: '^#.*' 144 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 145 | class: minemeld.ft.http.HttpFT 146 | base_180days: 147 | author: MineMeld Core Team 148 | development_status: DEPRECATED 149 | node_type: miner 150 | indicator_types: 151 | - IPv4 152 | tags: 153 | - OSINT 154 | - ShareLevelGreen 155 | - ConfidenceMedium 156 | - Deprecated 157 | description: IP list for last 180 days 158 | config: 159 | source_name: openbl.base_180days 160 | attributes: 161 | type: IPv4 162 | direction: inbound 163 | confidence: 50 164 | share_level: green 165 | ignore_regex: '^#.*' 166 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 167 | class: minemeld.ft.http.HttpFT 168 | base_360days: 169 | author: MineMeld Core Team 170 | development_status: DEPRECATED 171 | node_type: miner 172 | indicator_types: 173 | - IPv4 174 | tags: 175 | - OSINT 176 | - ShareLevelGreen 177 | - ConfidenceMedium 178 | - Deprecated 179 | description: IP list for last 360 days 180 | config: 181 | source_name: openbl.base_360days 182 | attributes: 183 | type: IPv4 184 | direction: inbound 185 | confidence: 50 186 | share_level: green 187 | ignore_regex: '^#.*' 188 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 189 | class: minemeld.ft.http.HttpFT 190 | -------------------------------------------------------------------------------- /prototypes/libraesva.yml: -------------------------------------------------------------------------------- 1 | url: https://libraesva.com/ 2 | description: > 3 | Libraesva Reputation Services provides high quality data feeds about email threats, spam and malware. 4 | Most of the threats that these feeds allow to block are unknown to any other public source. 5 | The feeds are updated very frequently and they are kept clean. Ceased threats are automatically removed. 6 | We aim at a false positive rate close to zero while maintaining a high efficiency in blocking threats 7 | that are yet unknown to any public source. 8 | The feeds are free to use but we require a free registration. Go to https://docs.libraesva.com/esvalabs-ioc-access-request/ to request access. 9 | 10 | prototypes: 11 | LIBRAESVA_Advertising_Domains: 12 | author: LibraEsva Team 13 | development_status: STABLE 14 | node_type: miner 15 | indicator_types: 16 | - domain 17 | tags: 18 | - ConfidenceHigh 19 | - ShareLevelYellow 20 | description: Domains delivering advertising only 21 | config: 22 | age_out: 23 | default: null 24 | interval: 600 25 | sudden_death: true 26 | attributes: 27 | confidence: 100 28 | direction: inbound 29 | share_level: yellow 30 | type: domain 31 | ignore_regex: ^#.* 32 | indicator: 33 | regex: ^.* 34 | source_name: libraesva.advertising_domains 35 | url: https://repo.libraesva.com/ioc/domain.black.txt 36 | class: minemeld.ft.http.HttpFT 37 | 38 | LIBRAESVA_Bulk_Email_Domains: 39 | author: LibraEsva Team 40 | development_status: STABLE 41 | node_type: miner 42 | indicator_types: 43 | - domain 44 | tags: 45 | - ConfidenceHigh 46 | - ShareLevelYellow 47 | description: Domains delivering bulk email traffic 48 | config: 49 | age_out: 50 | default: null 51 | interval: 600 52 | sudden_death: true 53 | attributes: 54 | confidence: 100 55 | direction: inbound 56 | share_level: yellow 57 | type: domain 58 | ignore_regex: ^#.* 59 | indicator: 60 | regex: ^.* 61 | source_name: libraesva.bulk_email 62 | url: https://repo.libraesva.com/ioc/domain.grey.txt 63 | class: minemeld.ft.http.HttpFT 64 | 65 | LIBRAESVA_White_Domains: 66 | author: LibraEsva Team 67 | development_status: STABLE 68 | node_type: miner 69 | indicator_types: 70 | - domain 71 | tags: 72 | - ConfidenceHigh 73 | - ShareLevelYellow 74 | description: Legit email and web domains 75 | config: 76 | age_out: 77 | default: null 78 | interval: 600 79 | sudden_death: true 80 | attributes: 81 | confidence: 100 82 | direction: inbound 83 | share_level: yellow 84 | type: domain 85 | ignore_regex: ^#.* 86 | indicator: 87 | regex: ^.* 88 | source_name: libraesva.white_domains 89 | url: https://repo.libraesva.com/ioc/domain.white.txt 90 | class: minemeld.ft.http.HttpFT 91 | 92 | LIBRAESVA_Malware_Domains: 93 | author: LibraEsva Team 94 | development_status: STABLE 95 | node_type: miner 96 | indicator_types: 97 | - domain 98 | tags: 99 | - ConfidenceHigh 100 | - ShareLevelYellow 101 | description: Malware,phishing,comprimised sites.. 102 | config: 103 | age_out: 104 | default: null 105 | interval: 600 106 | sudden_death: true 107 | attributes: 108 | confidence: 100 109 | direction: inbound 110 | share_level: yellow 111 | type: domain 112 | ignore_regex: ^#.* 113 | indicator: 114 | regex: ^.* 115 | source_name: libraesva.malware_domains 116 | url: https://repo.libraesva.com/ioc/domain.malware.txt 117 | class: minemeld.ft.http.HttpFT 118 | 119 | LIBRAESVA_Advertising_IP4: 120 | author: LibraEsva Team 121 | development_status: STABLE 122 | node_type: miner 123 | indicator_types: 124 | - IPv4 125 | tags: 126 | - ConfidenceHigh 127 | - ShareLevelYellow 128 | description: IPv4 classes delivering advertising email traffic only 129 | config: 130 | age_out: 131 | default: null 132 | interval: 600 133 | sudden_death: true 134 | attributes: 135 | confidence: 100 136 | direction: inbound 137 | share_level: yellow 138 | type: IPv4 139 | ignore_regex: ^#.* 140 | indicator: 141 | regex: ^.* 142 | source_name: libraesva.advertising_ip4 143 | url: https://repo.libraesva.com/ioc/ip.black.txt 144 | class: minemeld.ft.http.HttpFT 145 | 146 | 147 | LIBRAESVA_Bulk_IP4: 148 | author: LibraEsva Team 149 | development_status: STABLE 150 | node_type: miner 151 | indicator_types: 152 | - IPv4 153 | tags: 154 | - ConfidenceHigh 155 | - ShareLevelYellow 156 | description: IPv4 classess delivering bulk email traffic 157 | config: 158 | age_out: 159 | default: null 160 | interval: 600 161 | sudden_death: true 162 | attributes: 163 | confidence: 100 164 | direction: inbound 165 | share_level: yellow 166 | type: IPv4 167 | ignore_regex: ^#.* 168 | indicator: 169 | regex: ^.* 170 | source_name: libraesva.bulk_ip4 171 | url: https://repo.libraesva.com/ioc/ip.grey.txt 172 | class: minemeld.ft.http.HttpFT 173 | 174 | LIBRAESVA_Bad_Email_IXHASH: 175 | author: LibraEsva Team 176 | development_status: STABLE 177 | node_type: miner 178 | indicator_types: 179 | - md5 180 | tags: 181 | - ConfidenceHigh 182 | - ShareLevelYellow 183 | description: Undesired email hashes, uses IX hash algoritm 184 | config: 185 | age_out: 186 | default: null 187 | interval: 600 188 | sudden_death: true 189 | attributes: 190 | confidence: 100 191 | direction: inbound 192 | share_level: yellow 193 | type: md5 194 | ignore_regex: ^#.* 195 | indicator: 196 | regex: ^.* 197 | source_name: libraesva.bad_email_ixhash 198 | url: https://repo.libraesva.com/ioc/ix.black.txt 199 | class: minemeld.ft.http.HttpFT 200 | 201 | -------------------------------------------------------------------------------- /prototypes/auscert.yml: -------------------------------------------------------------------------------- 1 | url: https://www.auscert.org.au/ 2 | description: > 3 | AusCERT is a leading Cyber Emergency Response Team (CERT) 4 | in Australia and the Asia/Pacific region. 5 | 6 | prototypes: 7 | 7days_combo: 8 | author: Simon Coggins 9 | development_status: STABLE 10 | node_type: miner 11 | indicator_types: [ URL ] 12 | tags: 13 | - ConfidenceHigh 14 | - ShareLevelRed 15 | description: 7 days combo 16 | config: 17 | age_out: 18 | default: null 19 | sudden_death: true 20 | source_name: auscert.7days_combo 21 | url: https://www.auscert.org.au/api/v1/malurl/combo-7-xml 22 | indicator: 23 | regex: '(.*)' 24 | transform: '\1' 25 | attributes: 26 | type: URL 27 | share_level: red 28 | confidence: 80 29 | class: minemeld.ft.auscert.MaliciousURLFeed 30 | 31 | 7days_malware: 32 | author: Simon Coggins 33 | development_status: STABLE 34 | node_type: miner 35 | indicator_types: [ URL ] 36 | tags: 37 | - ConfidenceHigh 38 | - ShareLevelRed 39 | description: 7 days malware 40 | config: 41 | age_out: 42 | default: null 43 | sudden_death: true 44 | source_name: auscert.7day_smalware 45 | url: https://www.auscert.org.au/api/v1/malurl/malware-7-xml 46 | indicator: 47 | regex: '(.*)' 48 | transform: '\1' 49 | attributes: 50 | type: URL 51 | share_level: red 52 | confidence: 80 53 | class: minemeld.ft.auscert.MaliciousURLFeed 54 | 55 | 7days_phishing: 56 | author: Simon Coggins 57 | development_status: STABLE 58 | node_type: miner 59 | indicator_types: [ URL ] 60 | tags: 61 | - ConfidenceHigh 62 | - ShareLevelRed 63 | description: 7 days phishing 64 | config: 65 | age_out: 66 | default: null 67 | sudden_death: true 68 | source_name: auscert.7days_phishing 69 | url: https://www.auscert.org.au/api/v1/malurl/phishing-7-xml 70 | indicator: 71 | regex: '(.*)' 72 | transform: '\1' 73 | attributes: 74 | type: URL 75 | share_level: red 76 | confidence: 80 77 | class: minemeld.ft.auscert.MaliciousURLFeed 78 | 79 | 7days_dumpsites: 80 | author: MineMeld Core Team 81 | development_status: DEPRECATED 82 | node_type: miner 83 | indicator_types: [ URL ] 84 | tags: 85 | - Deprecated 86 | - ShareLevelRed 87 | description: Do not use ! 88 | config: 89 | age_out: 90 | default: null 91 | sudden_death: true 92 | source_name: auscert.7days_dumpsites 93 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 94 | class: minemeld.ft.http.HttpFT 95 | 96 | 7days_muling: 97 | author: MineMeld Core Team 98 | development_status: DEPRECATED 99 | node_type: miner 100 | indicator_types: [ URL ] 101 | tags: 102 | - Deprecated 103 | - ShareLevelRed 104 | description: Do not use ! 105 | config: 106 | age_out: 107 | default: null 108 | sudden_death: true 109 | source_name: auscert.7days_muling 110 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 111 | class: minemeld.ft.http.HttpFT 112 | 113 | 1day_combo: 114 | author: Simon Coggins 115 | development_status: STABLE 116 | node_type: miner 117 | indicator_types: [ URL ] 118 | tags: 119 | - ConfidenceHigh 120 | - ShareLevelRed 121 | description: 1 day combo 122 | config: 123 | age_out: 124 | default: null 125 | sudden_death: true 126 | source_name: auscert.1day_combo 127 | url: https://www.auscert.org.au/api/v1/malurl/combo-1-xml 128 | indicator: 129 | regex: '(.*)' 130 | transform: '\1' 131 | attributes: 132 | type: URL 133 | share_level: red 134 | confidence: 80 135 | class: minemeld.ft.auscert.MaliciousURLFeed 136 | 137 | 1day_malware: 138 | author: Simon Coggins 139 | development_status: STABLE 140 | node_type: miner 141 | indicator_types: [ URL ] 142 | tags: 143 | - ConfidenceHigh 144 | - ShareLevelRed 145 | description: 1 day malware 146 | config: 147 | age_out: 148 | default: null 149 | sudden_death: true 150 | source_name: auscert.1day_malware 151 | url: https://www.auscert.org.au/api/v1/malurl/malware-1-xml 152 | indicator: 153 | regex: '(.*)' 154 | transform: '\1' 155 | attributes: 156 | type: URL 157 | share_level: red 158 | confidence: 80 159 | class: minemeld.ft.auscert.MaliciousURLFeed 160 | 161 | 1day_phishing: 162 | author: Simon Coggins 163 | development_status: STABLE 164 | node_type: miner 165 | indicator_types: [ URL ] 166 | tags: 167 | - ConfidenceHigh 168 | - ShareLevelRed 169 | description: 1 day phishing 170 | config: 171 | age_out: 172 | default: null 173 | sudden_death: true 174 | source_name: auscert.1day_phishing 175 | url: https://www.auscert.org.au/api/v1/malurl/phishing-1-xml 176 | indicator: 177 | regex: '(.*)' 178 | transform: '\1' 179 | attributes: 180 | type: URL 181 | share_level: red 182 | confidence: 80 183 | class: minemeld.ft.auscert.MaliciousURLFeed 184 | 185 | 1day_dumpsites: 186 | author: MineMeld Core Team 187 | development_status: DEPRECATED 188 | node_type: miner 189 | indicator_types: [ URL ] 190 | tags: 191 | - Deprecated 192 | - ShareLevelRed 193 | description: Do not use ! 194 | config: 195 | age_out: 196 | default: null 197 | sudden_death: true 198 | source_name: auscert.1day_dumpsites 199 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 200 | class: minemeld.ft.http.HttpFT 201 | 202 | 1day_muling: 203 | author: MineMeld Core Team 204 | development_status: DEPRECATED 205 | node_type: miner 206 | indicator_types: [ URL ] 207 | tags: 208 | - Deprecated 209 | - ShareLevelRed 210 | description: Do not use ! 211 | config: 212 | age_out: 213 | default: null 214 | sudden_death: true 215 | source_name: auscert.1day_muling 216 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 217 | class: minemeld.ft.http.HttpFT 218 | -------------------------------------------------------------------------------- /prototypes/office365-dod.yml: -------------------------------------------------------------------------------- 1 | url: 'https://support.office.com/en-us/article/Office-365-U-S-Government-Defense-endpoints-cbd2369c-fd96-464c-bf48-c99826b459ee?ui=en-US&rs=en-US&ad=US' 2 | description: > 3 | This reference article lists every endpoints used by Office 365 US Government DoD endpoints. 4 | If your organization restricts computers on your network from connecting to the Internet, 5 | this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that 6 | you should include in your outbound allow lists to ensure your computers can successfully 7 | use Office 365. 8 | 9 | prototypes: 10 | exchangeOnline: 11 | author: MineMeld Core Team 12 | development_status: DEPRECATED 13 | node_type: miner 14 | indicator_types: 15 | - URL 16 | - IPv6 17 | - IPv4 18 | tags: 19 | - ShareLevelGreen 20 | - ConfidenceHigh 21 | description: > 22 | If you have licensed Exchange Online as a standalone or as part of a suite, you 23 | must be able to reach the following endpoints. 24 | class: minemeld.ft.o365.O365XML 25 | config: 26 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 27 | products: 28 | - EXO 29 | age_out: 30 | default: null 31 | sudden_death: true 32 | interval: 1800 33 | attributes: 34 | share_level: green 35 | 36 | portal: 37 | author: MineMeld Core Team 38 | development_status: DEPRECATED 39 | node_type: miner 40 | indicator_types: 41 | - URL 42 | - IPv6 43 | - IPv4 44 | tags: 45 | - ShareLevelGreen 46 | - ConfidenceHigh 47 | description: > 48 | Portal and shared. 49 | class: minemeld.ft.o365.O365XML 50 | config: 51 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 52 | products: 53 | - portal 54 | age_out: 55 | default: null 56 | sudden_death: true 57 | interval: 1800 58 | attributes: 59 | share_level: green 60 | 61 | skypeBusinessOnline: 62 | author: MineMeld Core Team 63 | development_status: DEPRECATED 64 | node_type: miner 65 | indicator_types: 66 | - URL 67 | - IPv6 68 | - IPv4 69 | tags: 70 | - ShareLevelGreen 71 | - ConfidenceHigh 72 | description: > 73 | If you have licensed Skype for Business Online as a standalone or as part of a 74 | suite, you must be able to reach the Office 365 portal and identity URLs as well 75 | as the Skype for Business Online URLs or IP addresses. 76 | class: minemeld.ft.o365.O365XML 77 | config: 78 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 79 | products: 80 | - SfB 81 | age_out: 82 | default: null 83 | sudden_death: true 84 | interval: 1800 85 | attributes: 86 | share_level: green 87 | 88 | sharepointOnline: 89 | author: MineMeld Core Team 90 | development_status: DEPRECATED 91 | node_type: miner 92 | indicator_types: 93 | - URL 94 | - IPv6 95 | - IPv4 96 | tags: 97 | - ShareLevelGreen 98 | - ConfidenceHigh 99 | description: > 100 | If you have licensed SharePoint Online as a standalone or as part of a suite, 101 | you must be able to reach the Office 365 portal and identity URLs as well as 102 | the SharePoint Online URLs or IP addresses. 103 | class: minemeld.ft.o365.O365XML 104 | config: 105 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 106 | products: 107 | - SPO 108 | age_out: 109 | default: null 110 | sudden_death: true 111 | interval: 1800 112 | attributes: 113 | share_level: green 114 | 115 | exchangeOnlineProtection: 116 | author: MineMeld Core Team 117 | development_status: DEPRECATED 118 | node_type: miner 119 | indicator_types: 120 | - URL 121 | - IPv6 122 | - IPv4 123 | tags: 124 | - ShareLevelGreen 125 | - ConfidenceHigh 126 | description: > 127 | If you have licensed Exchange Online Protection (EOP) as a standalone or as part 128 | of a suite, you must be able to reach the Office 365 portal and identity URLs as 129 | well as the EOP IP addresses. 130 | class: minemeld.ft.o365.O365XML 131 | config: 132 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 133 | products: 134 | - EOP 135 | age_out: 136 | default: null 137 | sudden_death: true 138 | interval: 1800 139 | attributes: 140 | share_level: green 141 | 142 | O365ProPlus: 143 | author: MineMeld Core Team 144 | development_status: DEPRECATED 145 | node_type: miner 146 | indicator_types: 147 | - URL 148 | - IPv6 149 | - IPv4 150 | tags: 151 | - ShareLevelGreen 152 | - ConfidenceHigh 153 | description: > 154 | Here is the current list of endpoints PCs and Macs need to be able to access 155 | to use Office 365 ProPlus. 156 | class: minemeld.ft.o365.O365XML 157 | config: 158 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 159 | products: 160 | - ProPlus 161 | age_out: 162 | default: null 163 | sudden_death: true 164 | interval: 1800 165 | attributes: 166 | share_level: green 167 | 168 | officeOnline: 169 | author: MineMeld Core Team 170 | development_status: DEPRECATED 171 | node_type: miner 172 | indicator_types: 173 | - URL 174 | - IPv6 175 | - IPv4 176 | tags: 177 | - ShareLevelGreen 178 | - ConfidenceHigh 179 | description: > 180 | This list of IP addresses is the current list required for Office Web Apps. 181 | class: minemeld.ft.o365.O365XML 182 | config: 183 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 184 | products: 185 | - officeonline 186 | age_out: 187 | default: null 188 | sudden_death: true 189 | interval: 1800 190 | attributes: 191 | share_level: green 192 | 193 | identity: 194 | author: MineMeld Core Team 195 | development_status: DEPRECATED 196 | node_type: miner 197 | indicator_types: 198 | - URL 199 | - IPv6 200 | - IPv4 201 | tags: 202 | - ShareLevelGreen 203 | - ConfidenceHigh 204 | description: > 205 | This is the current list of Office 365 authentication and 206 | identity IPs and URLs. 207 | class: minemeld.ft.o365.O365XML 208 | config: 209 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 210 | products: 211 | - identity 212 | age_out: 213 | default: null 214 | sudden_death: true 215 | interval: 1800 216 | attributes: 217 | share_level: green 218 | 219 | any: 220 | author: MineMeld Core Team 221 | development_status: DEPRECATED 222 | node_type: miner 223 | indicator_types: 224 | - URL 225 | - IPv6 226 | - IPv4 227 | tags: 228 | - ShareLevelGreen 229 | - ConfidenceHigh 230 | description: > 231 | This is the current list of IPs and URLs associated with 232 | any Office365 product. 233 | class: minemeld.ft.o365.O365XML 234 | config: 235 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDoD.xml 236 | products: [] 237 | age_out: 238 | default: null 239 | sudden_death: true 240 | interval: null 241 | attributes: 242 | share_level: gree -------------------------------------------------------------------------------- /prototypes/office365-usdefense.yml: -------------------------------------------------------------------------------- 1 | url: 'https://support.office.com/en-us/article/Office-365-U-S-Government-Defense-endpoints-cbd2369c-fd96-464c-bf48-c99826b459ee?ui=en-US&rs=en-US&ad=US' 2 | description: > 3 | This reference article lists every endpoints used by Office 365 US Government Defense endpoints. 4 | If your organization restricts computers on your network from connecting to the Internet, 5 | this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that 6 | you should include in your outbound allow lists to ensure your computers can successfully 7 | use Office 365. 8 | 9 | prototypes: 10 | exchangeOnline: 11 | author: MineMeld Core Team 12 | development_status: DEPRECATED 13 | node_type: miner 14 | indicator_types: 15 | - URL 16 | - IPv6 17 | - IPv4 18 | tags: 19 | - ShareLevelGreen 20 | - ConfidenceHigh 21 | description: > 22 | If you have licensed Exchange Online as a standalone or as part of a suite, you 23 | must be able to reach the following endpoints. 24 | class: minemeld.ft.o365.O365XML 25 | config: 26 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 27 | products: 28 | - EXO 29 | age_out: 30 | default: null 31 | sudden_death: true 32 | interval: 1800 33 | attributes: 34 | share_level: green 35 | 36 | portal: 37 | author: MineMeld Core Team 38 | development_status: DEPRECATED 39 | node_type: miner 40 | indicator_types: 41 | - URL 42 | - IPv6 43 | - IPv4 44 | tags: 45 | - ShareLevelGreen 46 | - ConfidenceHigh 47 | description: > 48 | Portal and shared. 49 | class: minemeld.ft.o365.O365XML 50 | config: 51 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 52 | products: 53 | - portal 54 | age_out: 55 | default: null 56 | sudden_death: true 57 | interval: 1800 58 | attributes: 59 | share_level: green 60 | 61 | skypeBusinessOnline: 62 | author: MineMeld Core Team 63 | development_status: DEPRECATED 64 | node_type: miner 65 | indicator_types: 66 | - URL 67 | - IPv6 68 | - IPv4 69 | tags: 70 | - ShareLevelGreen 71 | - ConfidenceHigh 72 | description: > 73 | If you have licensed Skype for Business Online as a standalone or as part of a 74 | suite, you must be able to reach the Office 365 portal and identity URLs as well 75 | as the Skype for Business Online URLs or IP addresses. 76 | class: minemeld.ft.o365.O365XML 77 | config: 78 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 79 | products: 80 | - SfB 81 | age_out: 82 | default: null 83 | sudden_death: true 84 | interval: 1800 85 | attributes: 86 | share_level: green 87 | 88 | sharepointOnline: 89 | author: MineMeld Core Team 90 | development_status: DEPRECATED 91 | node_type: miner 92 | indicator_types: 93 | - URL 94 | - IPv6 95 | - IPv4 96 | tags: 97 | - ShareLevelGreen 98 | - ConfidenceHigh 99 | description: > 100 | If you have licensed SharePoint Online as a standalone or as part of a suite, 101 | you must be able to reach the Office 365 portal and identity URLs as well as 102 | the SharePoint Online URLs or IP addresses. 103 | class: minemeld.ft.o365.O365XML 104 | config: 105 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 106 | products: 107 | - SPO 108 | age_out: 109 | default: null 110 | sudden_death: true 111 | interval: 1800 112 | attributes: 113 | share_level: green 114 | 115 | exchangeOnlineProtection: 116 | author: MineMeld Core Team 117 | development_status: DEPRECATED 118 | node_type: miner 119 | indicator_types: 120 | - URL 121 | - IPv6 122 | - IPv4 123 | tags: 124 | - ShareLevelGreen 125 | - ConfidenceHigh 126 | description: > 127 | If you have licensed Exchange Online Protection (EOP) as a standalone or as part 128 | of a suite, you must be able to reach the Office 365 portal and identity URLs as 129 | well as the EOP IP addresses. 130 | class: minemeld.ft.o365.O365XML 131 | config: 132 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 133 | products: 134 | - EOP 135 | age_out: 136 | default: null 137 | sudden_death: true 138 | interval: 1800 139 | attributes: 140 | share_level: green 141 | 142 | O365ProPlus: 143 | author: MineMeld Core Team 144 | development_status: DEPRECATED 145 | node_type: miner 146 | indicator_types: 147 | - URL 148 | - IPv6 149 | - IPv4 150 | tags: 151 | - ShareLevelGreen 152 | - ConfidenceHigh 153 | description: > 154 | Here is the current list of endpoints PCs and Macs need to be able to access 155 | to use Office 365 ProPlus. 156 | class: minemeld.ft.o365.O365XML 157 | config: 158 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 159 | products: 160 | - ProPlus 161 | age_out: 162 | default: null 163 | sudden_death: true 164 | interval: 1800 165 | attributes: 166 | share_level: green 167 | 168 | officeOnline: 169 | author: MineMeld Core Team 170 | development_status: DEPRECATED 171 | node_type: miner 172 | indicator_types: 173 | - URL 174 | - IPv6 175 | - IPv4 176 | tags: 177 | - ShareLevelGreen 178 | - ConfidenceHigh 179 | description: > 180 | This list of IP addresses is the current list required for Office Web Apps. 181 | class: minemeld.ft.o365.O365XML 182 | config: 183 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 184 | products: 185 | - officeonline 186 | age_out: 187 | default: null 188 | sudden_death: true 189 | interval: 1800 190 | attributes: 191 | share_level: green 192 | 193 | identity: 194 | author: MineMeld Core Team 195 | development_status: DEPRECATED 196 | node_type: miner 197 | indicator_types: 198 | - URL 199 | - IPv6 200 | - IPv4 201 | tags: 202 | - ShareLevelGreen 203 | - ConfidenceHigh 204 | description: > 205 | This is the current list of Office 365 authentication and 206 | identity IPs and URLs. 207 | class: minemeld.ft.o365.O365XML 208 | config: 209 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 210 | products: 211 | - identity 212 | age_out: 213 | default: null 214 | sudden_death: true 215 | interval: 1800 216 | attributes: 217 | share_level: green 218 | 219 | any: 220 | author: MineMeld Core Team 221 | development_status: DEPRECATED 222 | node_type: miner 223 | indicator_types: 224 | - URL 225 | - IPv6 226 | - IPv4 227 | tags: 228 | - ShareLevelGreen 229 | - ConfidenceHigh 230 | description: > 231 | This is the current list of IPs and URLs associated with 232 | any Office365 product. 233 | class: minemeld.ft.o365.O365XML 234 | config: 235 | url: https://support.content.office.net/en-us/static/O365IPAddresses_USDefense.xml 236 | products: [] 237 | age_out: 238 | default: null 239 | sudden_death: true 240 | interval: null 241 | attributes: 242 | share_level: gree -------------------------------------------------------------------------------- /prototypes/blocklist_de.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | www.blocklist.de is a free and voluntary service provided by a 3 | Fraud/Abuse-specialist, whose servers are often attacked on 4 | SSH-, Mail-Login-, FTP-, Webserver- and other services. 5 | url: http://www.blocklist.de/en/index.html 6 | 7 | prototypes: 8 | all: 9 | author: MineMeld Core Team 10 | development_status: STABLE 11 | node_type: miner 12 | indicator_types: 13 | - IPv4 14 | tags: 15 | - OSINT 16 | - ConfidenceMedium 17 | - ShareLevelGreen 18 | description: > 19 | All IP addresses that have attacked one of our 20 | customers/servers in the last 48 hours. 21 | config: 22 | source_name: blocklist_de.all 23 | url: https://lists.blocklist.de/lists/all.txt 24 | attributes: 25 | type: IPv4 26 | direction: inbound 27 | share_level: green 28 | confidence: 50 29 | class: minemeld.ft.http.HttpFT 30 | ssh: 31 | author: MineMeld Core Team 32 | development_status: STABLE 33 | node_type: miner 34 | indicator_types: 35 | - IPv4 36 | tags: 37 | - OSINT 38 | - ConfidenceMedium 39 | - ShareLevelGreen 40 | description: > 41 | All IP addresses which have been reported within the last 42 | 48 hours as having run attacks on the service SSH 43 | config: 44 | source_name: blocklist_de.ssh 45 | url: https://lists.blocklist.de/lists/ssh.txt 46 | attributes: 47 | type: IPv4 48 | direction: inbound 49 | share_level: green 50 | confidence: 50 51 | application: ssh 52 | class: minemeld.ft.http.HttpFT 53 | mail: 54 | author: MineMeld Core Team 55 | development_status: STABLE 56 | node_type: miner 57 | indicator_types: 58 | - IPv4 59 | tags: 60 | - OSINT 61 | - ConfidenceMedium 62 | - ShareLevelGreen 63 | description: > 64 | All IP addresses which have been reported within the last 65 | 48 hours as having run attacks on the service Mail, Postfix. 66 | config: 67 | source_name: blocklist_de.mail 68 | url: https://lists.blocklist.de/lists/mail.txt 69 | attributes: 70 | type: IPv4 71 | direction: inbound 72 | share_level: green 73 | confidence: 50 74 | application: smtp 75 | class: minemeld.ft.http.HttpFT 76 | apache: 77 | author: MineMeld Core Team 78 | development_status: STABLE 79 | node_type: miner 80 | indicator_types: 81 | - IPv4 82 | tags: 83 | - OSINT 84 | - ConfidenceMedium 85 | - ShareLevelGreen 86 | description: > 87 | All IP addresses which have been reported within the last 88 | 48 hours as having run attacks on the service Apache, 89 | Apache-DDOS, RFI-Attacks. 90 | config: 91 | source_name: blocklist_de.apache 92 | url: https://lists.blocklist.de/lists/apache.txt 93 | attributes: 94 | type: IPv4 95 | direction: inbound 96 | share_level: green 97 | confidence: 50 98 | class: minemeld.ft.http.HttpFT 99 | imap: 100 | author: MineMeld Core Team 101 | development_status: STABLE 102 | node_type: miner 103 | indicator_types: 104 | - IPv4 105 | tags: 106 | - OSINT 107 | - ConfidenceMedium 108 | - ShareLevelGreen 109 | description: > 110 | All IP addresses which have been reported within the last 111 | 48 hours for attacks on the Service imap, sasl, pop3..... 112 | config: 113 | source_name: blocklist_de.imap 114 | url: https://lists.blocklist.de/lists/imap.txt 115 | attributes: 116 | type: IPv4 117 | direction: inbound 118 | share_level: green 119 | confidence: 50 120 | application: imap 121 | class: minemeld.ft.http.HttpFT 122 | ftp: 123 | author: MineMeld Core Team 124 | development_status: STABLE 125 | node_type: miner 126 | indicator_types: 127 | - IPv4 128 | tags: 129 | - OSINT 130 | - ConfidenceMedium 131 | - ShareLevelGreen 132 | description: > 133 | All IP addresses which have been reported within the 134 | last 48 hours for attacks on the Service FTP. 135 | config: 136 | source_name: blocklist_de.ftp 137 | url: https://lists.blocklist.de/lists/ftp.txt 138 | attributes: 139 | type: IPv4 140 | direction: inbound 141 | share_level: green 142 | confidence: 50 143 | application: ftp 144 | class: minemeld.ft.http.HttpFT 145 | sip: 146 | author: MineMeld Core Team 147 | development_status: STABLE 148 | node_type: miner 149 | indicator_types: 150 | - IPv4 151 | tags: 152 | - OSINT 153 | - ConfidenceMedium 154 | - ShareLevelGreen 155 | description: > 156 | All IP addresses that tried to login in a SIP-, VOIP- or 157 | Asterisk-Server and are inclueded in the IPs-List from 158 | http://www.infiltrated.net/ (Twitter). 159 | config: 160 | source_name: blocklist_de.sip 161 | url: https://lists.blocklist.de/lists/sip.txt 162 | attributes: 163 | type: IPv4 164 | direction: inbound 165 | share_level: green 166 | confidence: 50 167 | application: sip 168 | class: minemeld.ft.http.HttpFT 169 | bots: 170 | author: MineMeld Core Team 171 | development_status: STABLE 172 | node_type: miner 173 | indicator_types: 174 | - IPv4 175 | tags: 176 | - OSINT 177 | - ConfidenceMedium 178 | - ShareLevelGreen 179 | description: > 180 | All IP addresses which have been reported within the 181 | last 48 hours as having run attacks attacks on the RFI-Attacks, 182 | REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a 183 | Spam-Comment on a open Forum or Wiki). 184 | config: 185 | source_name: blocklist_de.bots 186 | url: https://lists.blocklist.de/lists/bots.txt 187 | attributes: 188 | type: IPv4 189 | direction: inbound 190 | share_level: green 191 | confidence: 50 192 | class: minemeld.ft.http.HttpFT 193 | strongips: 194 | author: MineMeld Core Team 195 | development_status: STABLE 196 | node_type: miner 197 | indicator_types: 198 | - IPv4 199 | tags: 200 | - OSINT 201 | - ConfidenceMedium 202 | - ShareLevelGreen 203 | description: > 204 | All IPs which are older then 2 month and have more 205 | then 5.000 attacks. 206 | config: 207 | source_name: blocklist_de.strongips 208 | url: https://lists.blocklist.de/lists/strongips.txt 209 | attributes: 210 | type: IPv4 211 | direction: inbound 212 | share_level: green 213 | confidence: 50 214 | class: minemeld.ft.http.HttpFT 215 | ircbot: 216 | author: MineMeld Core Team 217 | development_status: STABLE 218 | node_type: miner 219 | indicator_types: 220 | - IPv4 221 | tags: 222 | - OSINT 223 | - ConfidenceMedium 224 | - ShareLevelGreen 225 | description: '' 226 | config: 227 | source_name: blocklist_de.ircbot 228 | url: https://lists.blocklist.de/lists/ircbot.txt 229 | attributes: 230 | type: IPv4 231 | direction: inbound 232 | share_level: green 233 | confidence: 50 234 | class: minemeld.ft.http.HttpFT 235 | bruteforcelogin: 236 | author: MineMeld Core Team 237 | development_status: STABLE 238 | node_type: miner 239 | indicator_types: 240 | - IPv4 241 | tags: 242 | - OSINT 243 | - ConfidenceMedium 244 | - ShareLevelGreen 245 | description: > 246 | All IPs which attacks Joomlas, Wordpress and other 247 | Web-Logins with Brute-Force Logins. 248 | config: 249 | source_name: blocklist_de.bruteforcelogin 250 | url: https://lists.blocklist.de/lists/bruteforcelogin.txt 251 | attributes: 252 | type: IPv4 253 | direction: inbound 254 | share_level: green 255 | confidence: 50 256 | class: minemeld.ft.http.HttpFT 257 | -------------------------------------------------------------------------------- /prototypes/hailataxii.yml: -------------------------------------------------------------------------------- 1 | url: http://hailataxii.com/ 2 | description: > 3 | Hail a TAXII.com is a repository of Open Source Cyber 4 | Threat Intellegence feeds in STIX format. 5 | 6 | prototypes: 7 | guest_Abuse_ch: 8 | author: Soltra Dev Team 9 | development_status: EXPERIMENTAL 10 | node_type: miner 11 | indicator_types: 12 | - IPv4 13 | - IPv6 14 | - domain 15 | - URL 16 | tags: 17 | - OSINT 18 | - ShareLevelGreen 19 | - ConfidenceHigh 20 | - ConfidenceMedium 21 | - ConfidenceLow 22 | class: minemeld.ft.taxii.TaxiiClient 23 | description: public TAXII feed from Abuse_ch 24 | config: 25 | source_name: hailataxii.guest.Abuse_ch 26 | discovery_service: http://hailataxii.com/taxii-discovery-service 27 | username: guest 28 | password: guest 29 | collection: guest.Abuse_ch 30 | attributes: 31 | confidence: 30 32 | share_level: green 33 | age_out: 34 | sudden_death: false 35 | default: last_seen+30d 36 | 37 | guest_CyberCrime_Tracker: 38 | author: Soltra Dev Team 39 | development_status: EXPERIMENTAL 40 | node_type: miner 41 | indicator_types: 42 | - IPv4 43 | - IPv6 44 | - domain 45 | - URL 46 | tags: 47 | - OSINT 48 | - ShareLevelGreen 49 | - ConfidenceHigh 50 | - ConfidenceMedium 51 | - ConfidenceLow 52 | class: minemeld.ft.taxii.TaxiiClient 53 | description: public TAXII feed from CyberCrime_Tracker 54 | config: 55 | source_name: hailataxii.guest.CyberCrime_Tracker 56 | discovery_service: http://hailataxii.com/taxii-discovery-service 57 | username: guest 58 | password: guest 59 | collection: guest.CyberCrime_Tracker 60 | attributes: 61 | confidence: 30 62 | share_level: green 63 | age_out: 64 | sudden_death: false 65 | default: last_seen+30d 66 | 67 | guest_EmergingThreats_rules: 68 | author: Soltra Dev Team 69 | development_status: EXPERIMENTAL 70 | node_type: miner 71 | indicator_types: 72 | - IPv4 73 | - IPv6 74 | - domain 75 | - URL 76 | tags: 77 | - OSINT 78 | - ShareLevelGreen 79 | - ConfidenceHigh 80 | - ConfidenceMedium 81 | - ConfidenceLow 82 | class: minemeld.ft.taxii.TaxiiClient 83 | description: public TAXII feed from EmergingThreats_rules 84 | config: 85 | source_name: hailataxii.guest.EmergingThreats_rules 86 | discovery_service: http://hailataxii.com/taxii-discovery-service 87 | username: guest 88 | password: guest 89 | collection: guest.EmergingThreats_rules 90 | attributes: 91 | confidence: 30 92 | share_level: green 93 | age_out: 94 | sudden_death: false 95 | default: last_seen+30d 96 | 97 | guest_Lehigh_edu: 98 | author: MineMeld Core Team 99 | development_status: EXPERIMENTAL 100 | node_type: miner 101 | indicator_types: 102 | - IPv4 103 | - IPv6 104 | - domain 105 | - URL 106 | tags: 107 | - OSINT 108 | - ShareLevelGreen 109 | - ConfidenceHigh 110 | - ConfidenceMedium 111 | - ConfidenceLow 112 | class: minemeld.ft.taxii.TaxiiClient 113 | description: public TAXII feed from Lehigh.edu 114 | config: 115 | source_name: hailataxii.guest.Lehigh_edu 116 | discovery_service: http://hailataxii.com/taxii-discovery-service 117 | username: guest 118 | password: guest 119 | collection: guest.Lehigh_edu 120 | attributes: 121 | confidence: 30 122 | share_level: green 123 | age_out: 124 | sudden_death: false 125 | default: last_seen+30d 126 | 127 | guest_MalwareDomainList_Hostlist: 128 | author: Soltra Dev Team 129 | development_status: EXPERIMENTAL 130 | node_type: miner 131 | indicator_types: 132 | - IPv4 133 | - IPv6 134 | - domain 135 | - URL 136 | tags: 137 | - OSINT 138 | - ShareLevelGreen 139 | - ConfidenceHigh 140 | - ConfidenceMedium 141 | - ConfidenceLow 142 | class: minemeld.ft.taxii.TaxiiClient 143 | description: public TAXII feed from MalwareDomainList_Hostlist 144 | config: 145 | source_name: hailataxii.guest.MalwareDomainList_Hostlist 146 | discovery_service: http://hailataxii.com/taxii-discovery-service 147 | username: guest 148 | password: guest 149 | collection: guest.MalwareDomainList_Hostlist 150 | attributes: 151 | confidence: 30 152 | share_level: green 153 | age_out: 154 | sudden_death: false 155 | default: last_seen+30d 156 | 157 | guest_blutmagie_de_torExits: 158 | author: Soltra Dev Team 159 | development_status: EXPERIMENTAL 160 | node_type: miner 161 | indicator_types: 162 | - IPv4 163 | - IPv6 164 | - domain 165 | - URL 166 | tags: 167 | - OSINT 168 | - ShareLevelGreen 169 | - ConfidenceHigh 170 | - ConfidenceMedium 171 | - ConfidenceLow 172 | class: minemeld.ft.taxii.TaxiiClient 173 | description: public TAXII feed from blutmagie_de_torExits 174 | config: 175 | source_name: hailataxii.guest.blutmagie_de_torExits 176 | discovery_service: http://hailataxii.com/taxii-discovery-service 177 | username: guest 178 | password: guest 179 | collection: guest.blutmagie_de_torExits 180 | attributes: 181 | confidence: 30 182 | share_level: green 183 | age_out: 184 | sudden_death: false 185 | default: last_seen+30d 186 | 187 | guest_dataForLast_7daysOnly: 188 | author: Soltra Dev Team 189 | development_status: EXPERIMENTAL 190 | node_type: miner 191 | indicator_types: 192 | - IPv4 193 | - IPv6 194 | - domain 195 | - URL 196 | tags: 197 | - OSINT 198 | - ShareLevelGreen 199 | - ConfidenceHigh 200 | - ConfidenceMedium 201 | - ConfidenceLow 202 | class: minemeld.ft.taxii.TaxiiClient 203 | description: public TAXII feed from dataForLast_7daysOnly 204 | config: 205 | source_name: hailataxii.guest.dataForLast_7daysOnly 206 | discovery_service: http://hailataxii.com/taxii-discovery-service 207 | username: guest 208 | password: guest 209 | collection: guest.dataForLast_7daysOnly 210 | attributes: 211 | confidence: 30 212 | share_level: green 213 | age_out: 214 | sudden_death: false 215 | default: last_seen+30d 216 | 217 | guest_dshield_BlockList: 218 | author: Soltra Dev Team 219 | development_status: EXPERIMENTAL 220 | node_type: miner 221 | indicator_types: 222 | - IPv4 223 | - IPv6 224 | - domain 225 | - URL 226 | tags: 227 | - OSINT 228 | - ShareLevelGreen 229 | - ConfidenceHigh 230 | - ConfidenceMedium 231 | - ConfidenceLow 232 | class: minemeld.ft.taxii.TaxiiClient 233 | description: public TAXII feed from dshield_BlockList 234 | config: 235 | source_name: hailataxii.guest.dshield_BlockList 236 | discovery_service: http://hailataxii.com/taxii-discovery-service 237 | username: guest 238 | password: guest 239 | collection: guest.dshield_BlockList 240 | attributes: 241 | confidence: 30 242 | share_level: green 243 | age_out: 244 | sudden_death: false 245 | default: last_seen+30d 246 | 247 | guest_phishtank_com: 248 | author: MineMeld Core Team 249 | development_status: EXPERIMENTAL 250 | node_type: miner 251 | indicator_types: 252 | - IPv4 253 | - IPv6 254 | - domain 255 | - URL 256 | tags: 257 | - OSINT 258 | - ShareLevelGreen 259 | - ConfidenceHigh 260 | - ConfidenceMedium 261 | - ConfidenceLow 262 | class: minemeld.ft.taxii.TaxiiClient 263 | description: public TAXII feed from phishtank.com 264 | config: 265 | source_name: hailataxii.guest.phishtank_com 266 | discovery_service: http://hailataxii.com/taxii-discovery-service 267 | username: guest 268 | password: guest 269 | collection: guest.phishtank_com 270 | attributes: 271 | confidence: 30 272 | share_level: green 273 | age_out: 274 | sudden_death: false 275 | default: last_seen+30d 276 | -------------------------------------------------------------------------------- /prototypes/bambenekconsulting.yml: -------------------------------------------------------------------------------- 1 | description: > 2 | Details about these feeds in this presentation: 3 | https://www.first.org/resources/papers/conf2016/FIRST-2016-80.pdf 4 | and here https://faf.bambenekconsulting.com/feeds/license.txt 5 | url: http://faf.bambenekconsulting.com/feeds/ 6 | 7 | prototypes: 8 | c2_ipmasterlist: 9 | author: MineMeld Core Team 10 | development_status: DEPRECATED 11 | node_type: miner 12 | indicator_types: 13 | - IPv4 14 | tags: 15 | - OSINT 16 | - ConfidenceMedium 17 | - ShareLevelGreen 18 | description: > 19 | Master Feed of known, active and non-sinkholed C&Cs IP addresses 20 | class: minemeld.ft.csv.CSVFT 21 | config: 22 | age_out: 23 | default: null 24 | sudden_death: true 25 | interval: 1800 26 | url: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt 27 | ignore_regex: '^#' 28 | fieldnames: 29 | - indicator 30 | - bambenekconsulting_description 31 | - bambenekconsulting_date 32 | - bambenekconsulting_info 33 | attributes: 34 | type: IPv4 35 | confidence: 70 36 | share_level: green 37 | source_name: bambenekconsulting.c2_ipmasterlist 38 | c2_dommasterlist: 39 | author: MineMeld Core Team 40 | development_status: DEPRECATED 41 | node_type: miner 42 | indicator_types: 43 | - domain 44 | tags: 45 | - OSINT 46 | - ConfidenceMedium 47 | - ShareLevelGreen 48 | description: > 49 | Master Feed of known, active and non-sinkholed C&Cs domain names 50 | class: minemeld.ft.csv.CSVFT 51 | config: 52 | url: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt 53 | ignore_regex: '^#' 54 | age_out: 55 | default: null 56 | sudden_death: true 57 | interval: 1800 58 | fieldnames: 59 | - indicator 60 | - bambenekconsulting_description 61 | - bambenekconsulting_date 62 | - bambenekconsulting_info 63 | attributes: 64 | type: domain 65 | confidence: 70 66 | share_level: green 67 | source_name: bambenekconsulting.c2_dommasterlist 68 | c2_ipmasterlist_high: 69 | author: MineMeld Core Team 70 | development_status: DEPRECATED 71 | node_type: miner 72 | indicator_types: 73 | - IPv4 74 | tags: 75 | - OSINT 76 | - ConfidenceHigh 77 | - ShareLevelGreen 78 | description: > 79 | High Confidence Master Feed of known, active and non-sinkholed C&Cs IP addresses 80 | class: minemeld.ft.csv.CSVFT 81 | config: 82 | url: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt 83 | ignore_regex: '^#' 84 | age_out: 85 | default: null 86 | sudden_death: true 87 | interval: 1800 88 | fieldnames: 89 | - indicator 90 | - bambenekconsulting_description 91 | - bambenekconsulting_date 92 | - bambenekconsulting_info 93 | attributes: 94 | type: IPv4 95 | confidence: 90 96 | share_level: green 97 | source_name: bambenekconsulting.c2_ipmasterlist_high 98 | c2_dommasterlist_high: 99 | author: MineMeld Core Team 100 | development_status: DEPRECATED 101 | node_type: miner 102 | indicator_types: 103 | - domain 104 | tags: 105 | - OSINT 106 | - ConfidenceHigh 107 | - ShareLevelGreen 108 | description: > 109 | High Confidence Master Feed of known, active and non-sinkholed C&Cs domain names 110 | class: minemeld.ft.csv.CSVFT 111 | config: 112 | url: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt 113 | ignore_regex: '^#' 114 | age_out: 115 | default: null 116 | sudden_death: true 117 | interval: 1800 118 | fieldnames: 119 | - indicator 120 | - bambenekconsulting_description 121 | - bambenekconsulting_date 122 | - bambenekconsulting_info 123 | attributes: 124 | type: domain 125 | confidence: 90 126 | share_level: green 127 | source_name: bambenekconsulting.c2_dommasterlist_high 128 | dga_feed: 129 | author: MineMeld Core Team 130 | development_status: STABLE 131 | node_type: miner 132 | indicator_types: 133 | - domain 134 | tags: 135 | - OSINT 136 | - ConfidenceMedium 137 | - ShareLevelRed 138 | description: > 139 | DGA Feed 140 | class: minemeld.ft.bambenek.Miner 141 | config: 142 | url: https://faf.bambenekconsulting.com/feeds/dga-feed.gz 143 | decode_gzip: true 144 | ignore_regex: '^#' 145 | age_out: 146 | default: null 147 | sudden_death: true 148 | interval: 1800 149 | fieldnames: 150 | - indicator 151 | - bambenekconsulting_description 152 | - bambenekconsulting_date 153 | - bambenekconsulting_info 154 | attributes: 155 | type: domain 156 | confidence: 70 157 | share_level: green 158 | source_name: bambenekconsulting.dga_feed 159 | dga_feed_high: 160 | author: MineMeld Core Team 161 | development_status: STABLE 162 | node_type: miner 163 | indicator_types: 164 | - domain 165 | tags: 166 | - OSINT 167 | - ConfidenceMedium 168 | - ShareLevelRed 169 | description: > 170 | DGA Feed, High Confidence Only 171 | class: minemeld.ft.bambenek.Miner 172 | config: 173 | url: https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz 174 | decode_gzip: true 175 | ignore_regex: '^#' 176 | age_out: 177 | default: null 178 | sudden_death: true 179 | interval: 1800 180 | fieldnames: 181 | - indicator 182 | - bambenekconsulting_description 183 | - bambenekconsulting_date 184 | - bambenekconsulting_info 185 | attributes: 186 | type: domain 187 | confidence: 100 188 | share_level: green 189 | source_name: bambenekconsulting.dga_feed_high 190 | c2_masterlist: 191 | author: MineMeld Core Team 192 | development_status: STABLE 193 | node_type: miner 194 | indicator_types: 195 | - domain 196 | tags: 197 | - ConfidenceMedium 198 | - ShareLevelRed 199 | description: > 200 | C2 Domains, not sinkholed 201 | class: minemeld.ft.bambenek.Miner 202 | config: 203 | url: https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist.txt 204 | ignore_regex: '^#' 205 | age_out: 206 | default: null 207 | sudden_death: true 208 | interval: 1800 209 | fieldnames: 210 | - indicator 211 | - bambenekconsulting_c2_ip 212 | - bambenekconsulting_c2_nsname 213 | - bambenekconsulting_c2_nsip 214 | - bambenekconsulting_description 215 | - bambenekconsulting_manpage 216 | attributes: 217 | type: domain 218 | confidence: 70 219 | share_level: red 220 | source_name: bambenekconsulting.c2_masterlist 221 | c2_masterlist_high: 222 | author: MineMeld Core Team 223 | development_status: STABLE 224 | node_type: miner 225 | indicator_types: 226 | - domain 227 | tags: 228 | - ConfidenceHigh 229 | - ShareLevelRed 230 | description: > 231 | C2 Domains, not sinkholed. High Confidence Only 232 | class: minemeld.ft.bambenek.Miner 233 | config: 234 | url: https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt 235 | ignore_regex: '^#' 236 | age_out: 237 | default: null 238 | sudden_death: true 239 | interval: 1800 240 | fieldnames: 241 | - indicator 242 | - bambenekconsulting_c2_ip 243 | - bambenekconsulting_c2_nsname 244 | - bambenekconsulting_c2_nsip 245 | - bambenekconsulting_description 246 | - bambenekconsulting_manpage 247 | attributes: 248 | type: domain 249 | confidence: 100 250 | share_level: red 251 | source_name: bambenekconsulting.c2_masterlist 252 | sinkhole: 253 | author: MineMeld Core Team 254 | development_status: STABLE 255 | node_type: miner 256 | indicator_types: 257 | - IPv4 258 | tags: 259 | - ConfidenceHigh 260 | - ShareLevelRed 261 | description: > 262 | IP of known sinkholes 263 | class: minemeld.ft.bambenek.Miner 264 | config: 265 | url: https://faf.bambenekconsulting.com/feeds/sinkhole/sinkhole.txt 266 | ignore_regex: '^#' 267 | age_out: 268 | default: null 269 | sudden_death: true 270 | interval: 1800 271 | fieldnames: 272 | - indicator 273 | - bambenekconsulting_sinkhole 274 | attributes: 275 | type: IPv4 276 | confidence: 100 277 | share_level: red 278 | source_name: bambenekconsulting.sinkhole 279 | -------------------------------------------------------------------------------- /prototypes/office365.yml: -------------------------------------------------------------------------------- 1 | url: 'https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US' 2 | description: > 3 | This reference article lists every endpoints used by Office 365. 4 | If your organization restricts computers on your network from connecting to the Internet, 5 | this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that 6 | you should include in your outbound allow lists to ensure your computers can successfully 7 | use Office 365. 8 | 9 | prototypes: 10 | O365: 11 | author: MineMeld Core Team 12 | development_status: DEPRECATED 13 | node_type: miner 14 | indicator_types: 15 | - URL 16 | - IPv6 17 | - IPv4 18 | tags: 19 | - ShareLevelGreen 20 | - ConfidenceHigh 21 | description: > 22 | The endpoints listed in this section are only to support the portal and identity 23 | portion of Office 365. 24 | class: minemeld.ft.o365.O365XML 25 | config: 26 | products: 27 | - o365 28 | age_out: 29 | default: null 30 | sudden_death: true 31 | interval: 1800 32 | attributes: 33 | share_level: green 34 | 35 | exchangeOnline: 36 | author: MineMeld Core Team 37 | development_status: DEPRECATED 38 | node_type: miner 39 | indicator_types: 40 | - URL 41 | - IPv6 42 | - IPv4 43 | tags: 44 | - ShareLevelGreen 45 | - ConfidenceHigh 46 | description: > 47 | If you have licensed Exchange Online as a standalone or as part of a suite, you 48 | must be able to reach the following endpoints. 49 | class: minemeld.ft.o365.O365XML 50 | config: 51 | products: 52 | - EXO 53 | age_out: 54 | default: null 55 | sudden_death: true 56 | interval: 1800 57 | attributes: 58 | share_level: green 59 | 60 | skypeBusinessOnline: 61 | author: MineMeld Core Team 62 | development_status: DEPRECATED 63 | node_type: miner 64 | indicator_types: 65 | - URL 66 | - IPv6 67 | - IPv4 68 | tags: 69 | - ShareLevelGreen 70 | - ConfidenceHigh 71 | description: > 72 | If you have licensed Skype for Business Online as a standalone or as part of a 73 | suite, you must be able to reach the Office 365 portal and identity URLs as well 74 | as the Skype for Business Online URLs or IP addresses. 75 | class: minemeld.ft.o365.O365XML 76 | config: 77 | products: 78 | - LYO 79 | age_out: 80 | default: null 81 | sudden_death: true 82 | interval: 1800 83 | attributes: 84 | share_level: green 85 | 86 | sharepointOnline: 87 | author: MineMeld Core Team 88 | development_status: DEPRECATED 89 | node_type: miner 90 | indicator_types: 91 | - URL 92 | - IPv6 93 | - IPv4 94 | tags: 95 | - ShareLevelGreen 96 | - ConfidenceHigh 97 | description: > 98 | If you have licensed SharePoint Online as a standalone or as part of a suite, 99 | you must be able to reach the Office 365 portal and identity URLs as well as 100 | the SharePoint Online URLs or IP addresses. 101 | class: minemeld.ft.o365.O365XML 102 | config: 103 | products: 104 | - SPO 105 | age_out: 106 | default: null 107 | sudden_death: true 108 | interval: 1800 109 | attributes: 110 | share_level: green 111 | 112 | exchangeOnlineProtection: 113 | author: MineMeld Core Team 114 | development_status: DEPRECATED 115 | node_type: miner 116 | indicator_types: 117 | - URL 118 | - IPv6 119 | - IPv4 120 | tags: 121 | - ShareLevelGreen 122 | - ConfidenceHigh 123 | description: > 124 | If you have licensed Exchange Online Protection (EOP) as a standalone or as part 125 | of a suite, you must be able to reach the Office 365 portal and identity URLs as 126 | well as the EOP IP addresses. 127 | class: minemeld.ft.o365.O365XML 128 | config: 129 | products: 130 | - EOP 131 | age_out: 132 | default: null 133 | sudden_death: true 134 | interval: 1800 135 | attributes: 136 | share_level: green 137 | 138 | O365RemoteAnalyzers: 139 | author: MineMeld Core Team 140 | development_status: DEPRECATED 141 | node_type: miner 142 | indicator_types: 143 | - URL 144 | - IPv6 145 | - IPv4 146 | tags: 147 | - ShareLevelGreen 148 | - ConfidenceHigh 149 | description: > 150 | This list of IPv4 IP addresses is the current list required for the Office 365 151 | remote analyzer tools. 152 | class: minemeld.ft.o365.O365XML 153 | config: 154 | products: 155 | - RCA 156 | age_out: 157 | default: null 158 | sudden_death: true 159 | interval: 1800 160 | attributes: 161 | share_level: green 162 | 163 | yammer: 164 | author: MineMeld Core Team 165 | development_status: DEPRECATED 166 | node_type: miner 167 | indicator_types: 168 | - URL 169 | - IPv6 170 | - IPv4 171 | tags: 172 | - ShareLevelGreen 173 | - ConfidenceHigh 174 | description: > 175 | This list of URLs and IPv4 IP subnet is the current list required for Yammer. 176 | class: minemeld.ft.o365.O365XML 177 | config: 178 | products: 179 | - Yammer 180 | age_out: 181 | default: null 182 | sudden_death: true 183 | interval: 1800 184 | attributes: 185 | share_level: green 186 | 187 | O365ProPlus: 188 | author: MineMeld Core Team 189 | development_status: DEPRECATED 190 | node_type: miner 191 | indicator_types: 192 | - URL 193 | - IPv6 194 | - IPv4 195 | tags: 196 | - ShareLevelGreen 197 | - ConfidenceHigh 198 | description: > 199 | Here is the current list of endpoints PCs and Macs need to be able to access 200 | to use Office 365 ProPlus. 201 | class: minemeld.ft.o365.O365XML 202 | config: 203 | products: 204 | - ProPlus 205 | age_out: 206 | default: null 207 | sudden_death: true 208 | interval: 1800 209 | attributes: 210 | share_level: green 211 | 212 | officeOnline: 213 | author: MineMeld Core Team 214 | development_status: DEPRECATED 215 | node_type: miner 216 | indicator_types: 217 | - URL 218 | - IPv6 219 | - IPv4 220 | tags: 221 | - ShareLevelGreen 222 | - ConfidenceHigh 223 | description: > 224 | This list of IP addresses is the current list required for Office Web Apps. 225 | class: minemeld.ft.o365.O365XML 226 | config: 227 | products: 228 | - WAC 229 | age_out: 230 | default: null 231 | sudden_death: true 232 | interval: 1800 233 | attributes: 234 | share_level: green 235 | 236 | officeiPad: 237 | author: MineMeld Core Team 238 | development_status: DEPRECATED 239 | node_type: miner 240 | indicator_types: 241 | - URL 242 | - IPv6 243 | - IPv4 244 | tags: 245 | - ShareLevelGreen 246 | - ConfidenceHigh 247 | description: > 248 | This is the current list of Office for iPad URLs. 249 | class: minemeld.ft.o365.O365XML 250 | config: 251 | products: 252 | - OfficeiPad 253 | age_out: 254 | default: null 255 | sudden_death: true 256 | interval: 1800 257 | attributes: 258 | share_level: green 259 | 260 | officeMobile: 261 | author: MineMeld Core Team 262 | development_status: DEPRECATED 263 | node_type: miner 264 | indicator_types: 265 | - URL 266 | - IPv6 267 | - IPv4 268 | tags: 269 | - ShareLevelGreen 270 | - ConfidenceHigh 271 | description: > 272 | This is the current list of Office Mobile URLs. 273 | class: minemeld.ft.o365.O365XML 274 | config: 275 | products: 276 | - OfficeMobile 277 | age_out: 278 | default: null 279 | sudden_death: true 280 | interval: 1800 281 | attributes: 282 | share_level: green 283 | 284 | planner: 285 | author: MineMeld Core Team 286 | development_status: DEPRECATED 287 | node_type: miner 288 | indicator_types: 289 | - URL 290 | - IPv6 291 | - IPv4 292 | tags: 293 | - ShareLevelGreen 294 | - ConfidenceHigh 295 | description: > 296 | This is the current list of Planner IPs and URLs. 297 | class: minemeld.ft.o365.O365XML 298 | config: 299 | products: 300 | - Planner 301 | age_out: 302 | default: null 303 | sudden_death: true 304 | interval: 1800 305 | attributes: 306 | share_level: green 307 | 308 | oneNote: 309 | author: MineMeld Core Team 310 | development_status: DEPRECATED 311 | node_type: miner 312 | indicator_types: 313 | - URL 314 | - IPv6 315 | - IPv4 316 | tags: 317 | - ShareLevelGreen 318 | - ConfidenceHigh 319 | description: > 320 | This is the current list of OneNote IPs and URLs. 321 | class: minemeld.ft.o365.O365XML 322 | config: 323 | products: 324 | - OneNote 325 | age_out: 326 | default: null 327 | sudden_death: true 328 | interval: 1800 329 | attributes: 330 | share_level: green 331 | 332 | identity: 333 | author: MineMeld Core Team 334 | development_status: DEPRECATED 335 | node_type: miner 336 | indicator_types: 337 | - URL 338 | - IPv6 339 | - IPv4 340 | tags: 341 | - ShareLevelGreen 342 | - ConfidenceHigh 343 | description: > 344 | This is the current list of Office 365 authentication and 345 | identity IPs and URLs. 346 | class: minemeld.ft.o365.O365XML 347 | config: 348 | products: 349 | - identity 350 | age_out: 351 | default: null 352 | sudden_death: true 353 | interval: 1800 354 | attributes: 355 | share_level: green 356 | 357 | sway: 358 | author: MineMeld Core Team 359 | development_status: DEPRECATED 360 | node_type: miner 361 | indicator_types: 362 | - URL 363 | - IPv6 364 | - IPv4 365 | tags: 366 | - ShareLevelGreen 367 | - ConfidenceHigh 368 | description: > 369 | This is the current list of Sway IPs and URLs. 370 | class: minemeld.ft.o365.O365XML 371 | config: 372 | products: 373 | - Sway 374 | age_out: 375 | default: null 376 | sudden_death: true 377 | interval: 1800 378 | attributes: 379 | share_level: green 380 | 381 | office365Video: 382 | author: MineMeld Core Team 383 | development_status: DEPRECATED 384 | node_type: miner 385 | indicator_types: 386 | - URL 387 | - IPv6 388 | - IPv4 389 | tags: 390 | - ShareLevelGreen 391 | - ConfidenceHigh 392 | description: > 393 | This is the current list of Office365 Video IPs and URLs. 394 | class: minemeld.ft.o365.O365XML 395 | config: 396 | products: 397 | - Office365Video 398 | age_out: 399 | default: null 400 | sudden_death: true 401 | interval: 1800 402 | attributes: 403 | share_level: green 404 | 405 | crls: 406 | author: MineMeld Core Team 407 | development_status: DEPRECATED 408 | node_type: miner 409 | indicator_types: 410 | - URL 411 | - IPv6 412 | - IPv4 413 | tags: 414 | - ShareLevelGreen 415 | - ConfidenceHigh 416 | description: > 417 | This is the current list of Office365 CRLs IPs and URLs. 418 | class: minemeld.ft.o365.O365XML 419 | config: 420 | products: 421 | - CRLs 422 | age_out: 423 | default: null 424 | sudden_death: true 425 | interval: 1800 426 | attributes: 427 | share_level: green 428 | 429 | Teams: 430 | author: MineMeld Core Team 431 | development_status: DEPRECATED 432 | node_type: miner 433 | indicator_types: 434 | - URL 435 | - IPv6 436 | - IPv4 437 | tags: 438 | - ShareLevelGreen 439 | - ConfidenceHigh 440 | description: > 441 | This is the current list of Office365 Teams IPs and URLs. 442 | class: minemeld.ft.o365.O365XML 443 | config: 444 | products: 445 | - Teams 446 | age_out: 447 | default: null 448 | sudden_death: true 449 | interval: 1800 450 | attributes: 451 | share_level: green 452 | 453 | any: 454 | author: MineMeld Core Team 455 | development_status: DEPRECATED 456 | node_type: miner 457 | indicator_types: 458 | - URL 459 | - IPv6 460 | - IPv4 461 | tags: 462 | - ShareLevelGreen 463 | - ConfidenceHigh 464 | description: > 465 | This is the current list of IPs and URLs associated with 466 | any Office365 product. 467 | class: minemeld.ft.o365.O365XML 468 | config: 469 | products: [] 470 | age_out: 471 | default: null 472 | sudden_death: true 473 | interval: null 474 | attributes: 475 | share_level: green -------------------------------------------------------------------------------- /prototypes/ransomwaretracker.yml: -------------------------------------------------------------------------------- 1 | url: https://ransomwaretracker.abuse.ch/ 2 | description: > 3 | Ransomware Tracker as Dec 8th 2019 has been DEPRECATED. 4 | Ransomware Tracker tracks and monitors the status of domain names, 5 | IP addresses and URLs that are associated with Ransomware, such as 6 | Botnet C&C servers, distribution sites and payment sites. 7 | 8 | prototypes: 9 | CW_C2_URLBL: 10 | author: MineMeld Core Team 11 | development_status: DEPRECATED 12 | node_type: miner 13 | indicator_types: 14 | - URL 15 | tags: 16 | - OSINT 17 | - ConfidenceHigh 18 | - ShareLevelGreen 19 | description: DEPRECATED. CryptoWall C2 URLs 20 | config: 21 | source_name: ransomwaretracker.CW_C2_URLBL 22 | attributes: 23 | type: URL 24 | confidence: 100 25 | share_level: green 26 | ignore_regex: '^#' 27 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 28 | interval: 300 29 | age_out: 30 | default: null 31 | sudden_death: true 32 | class: minemeld.ft.http.HttpFT 33 | CW_C2_DOMBL: 34 | author: MineMeld Core Team 35 | development_status: DEPRECATED 36 | node_type: miner 37 | indicator_types: 38 | - domain 39 | tags: 40 | - OSINT 41 | - ConfidenceLow 42 | - ShareLevelGreen 43 | description: DEPRECATED. CryptoWall C2 domains 44 | config: 45 | source_name: ransomwaretracker.CW_C2_DOMBL 46 | attributes: 47 | type: domain 48 | confidence: 40 49 | share_level: green 50 | ignore_regex: '^#' 51 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 52 | interval: 300 53 | age_out: 54 | default: null 55 | sudden_death: true 56 | class: minemeld.ft.http.HttpFT 57 | CW_PS_DOMBL: 58 | author: MineMeld Core Team 59 | development_status: DEPRECATED 60 | node_type: miner 61 | indicator_types: 62 | - domain 63 | tags: 64 | - OSINT 65 | - ConfidenceHigh 66 | - ShareLevelGreen 67 | description: DEPRECATED. CryptoWall C2 Payment Sites domains 68 | config: 69 | source_name: ransomwaretracker.CW_PS_DOMBL 70 | attributes: 71 | type: domain 72 | confidence: 100 73 | share_level: green 74 | ignore_regex: '^#' 75 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 76 | interval: 300 77 | age_out: 78 | default: null 79 | sudden_death: true 80 | class: minemeld.ft.http.HttpFT 81 | CW_PS_IPBL: 82 | author: MineMeld Core Team 83 | development_status: DEPRECATED 84 | node_type: miner 85 | indicator_types: 86 | - IPv4 87 | tags: 88 | - OSINT 89 | - ConfidenceMedium 90 | - ShareLevelGreen 91 | - DirectionOutbound 92 | description: DEPRECATED. CryptoWall Payment Sites IPs 93 | config: 94 | source_name: ransomwaretracker.CW_PS_IPBL 95 | attributes: 96 | type: IPv4 97 | confidence: 70 98 | share_level: green 99 | direction: outbound 100 | ignore_regex: '^#' 101 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 102 | interval: 300 103 | age_out: 104 | default: null 105 | sudden_death: true 106 | class: minemeld.ft.http.HttpFT 107 | TC_C2_URLBL: 108 | author: MineMeld Core Team 109 | development_status: DEPRECATED 110 | node_type: miner 111 | indicator_types: 112 | - URL 113 | tags: 114 | - OSINT 115 | - ConfidenceHigh 116 | - ShareLevelGreen 117 | description: DEPRECATED. TeslaCrypt C2 URLs 118 | config: 119 | source_name: ransomwaretracker.TC_C2_URLBL 120 | attributes: 121 | type: URL 122 | confidence: 100 123 | share_level: green 124 | ignore_regex: '^#' 125 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 126 | interval: 300 127 | age_out: 128 | default: null 129 | sudden_death: true 130 | class: minemeld.ft.http.HttpFT 131 | TC_C2_DOMBL: 132 | author: MineMeld Core Team 133 | development_status: DEPRECATED 134 | node_type: miner 135 | indicator_types: 136 | - domain 137 | tags: 138 | - OSINT 139 | - ConfidenceLow 140 | - ShareLevelGreen 141 | description: DEPRECATED. TeslaCrypt C2 domains 142 | config: 143 | source_name: ransomwaretracker.TC_C2_DOMBL 144 | attributes: 145 | type: domain 146 | confidence: 40 147 | share_level: green 148 | ignore_regex: '^#' 149 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 150 | interval: 300 151 | age_out: 152 | default: null 153 | sudden_death: true 154 | class: minemeld.ft.http.HttpFT 155 | TC_PS_DOMBL: 156 | author: MineMeld Core Team 157 | development_status: DEPRECATED 158 | node_type: miner 159 | indicator_types: 160 | - domain 161 | tags: 162 | - OSINT 163 | - ConfidenceLow 164 | - ShareLevelGreen 165 | description: DEPRECATED. TeslaCrypt Payment Sites domains 166 | config: 167 | source_name: ransomwaretracker.TC_PS_DOMBL 168 | attributes: 169 | type: domain 170 | confidence: 40 171 | share_level: green 172 | ignore_regex: '^#' 173 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 174 | interval: 300 175 | age_out: 176 | default: null 177 | sudden_death: true 178 | class: minemeld.ft.http.HttpFT 179 | TC_PS_IPBL: 180 | author: MineMeld Core Team 181 | development_status: DEPRECATED 182 | node_type: miner 183 | indicator_types: 184 | - IPv4 185 | tags: 186 | - OSINT 187 | - ConfidenceMedium 188 | - ShareLevelGreen 189 | - DirectionOutbound 190 | description: DEPRECATED. TeslaCrypt Payment Sites IPs 191 | config: 192 | source_name: ransomwaretracker.TC_PS_IPBL 193 | attributes: 194 | type: IPv4 195 | confidence: 70 196 | share_level: green 197 | direction: outbound 198 | ignore_regex: '^#' 199 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 200 | interval: 300 201 | age_out: 202 | default: null 203 | sudden_death: true 204 | class: minemeld.ft.http.HttpFT 205 | TC_DS_URLBL: 206 | author: MineMeld Core Team 207 | development_status: DEPRECATED 208 | node_type: miner 209 | indicator_types: 210 | - URL 211 | tags: 212 | - OSINT 213 | - ConfidenceHigh 214 | - ShareLevelGreen 215 | description: DEPRECATED. TeslaCrypt Distribution Sites URLs 216 | config: 217 | source_name: ransomwaretracker.TC_DS_URLBL 218 | attributes: 219 | type: URL 220 | confidence: 100 221 | share_level: green 222 | ignore_regex: '^#' 223 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 224 | interval: 300 225 | age_out: 226 | default: null 227 | sudden_death: true 228 | class: minemeld.ft.http.HttpFT 229 | LY_C2_DOMBL: 230 | author: MineMeld Core Team 231 | development_status: DEPRECATED 232 | node_type: miner 233 | indicator_types: 234 | - domain 235 | tags: 236 | - OSINT 237 | - ConfidenceHigh 238 | - ShareLevelGreen 239 | description: DEPRECATED. Locky C2 domains 240 | config: 241 | source_name: ransomwaretracker.LY_C2_DOMBL 242 | attributes: 243 | type: domain 244 | confidence: 100 245 | share_level: green 246 | ignore_regex: '^#' 247 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 248 | interval: 300 249 | age_out: 250 | default: null 251 | sudden_death: true 252 | class: minemeld.ft.http.HttpFT 253 | LY_C2_IPBL: 254 | author: MineMeld Core Team 255 | development_status: DEPRECATED 256 | node_type: miner 257 | indicator_types: 258 | - IPv4 259 | tags: 260 | - OSINT 261 | - ConfidenceMedium 262 | - ShareLevelGreen 263 | - DirectionOutbound 264 | description: DEPRECATED. Locky IPs 265 | config: 266 | source_name: ransomwaretracker.LY_C2_IPBL 267 | attributes: 268 | type: IPv4 269 | confidence: 70 270 | share_level: green 271 | direction: outbound 272 | ignore_regex: '^#' 273 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 274 | interval: 300 275 | age_out: 276 | default: null 277 | sudden_death: true 278 | class: minemeld.ft.http.HttpFT 279 | LY_PS_DOMBL: 280 | author: MineMeld Core Team 281 | development_status: DEPRECATED 282 | node_type: miner 283 | indicator_types: 284 | - domain 285 | tags: 286 | - OSINT 287 | - ConfidenceHigh 288 | - ShareLevelGreen 289 | description: DEPRECATED. Locky Payment Sites domains 290 | config: 291 | source_name: ransomwaretracker.LY_PS_DOMBL 292 | attributes: 293 | type: domain 294 | confidence: 100 295 | share_level: green 296 | ignore_regex: '^#' 297 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 298 | interval: 300 299 | age_out: 300 | default: null 301 | sudden_death: true 302 | class: minemeld.ft.http.HttpFT 303 | LY_PS_IPBL: 304 | author: MineMeld Core Team 305 | development_status: DEPRECATED 306 | node_type: miner 307 | indicator_types: 308 | - IPv4 309 | tags: 310 | - OSINT 311 | - ConfidenceLow 312 | - ShareLevelGreen 313 | description: DEPRECATED. Locky Payment Sites IPs 314 | config: 315 | source_name: ransomwaretracker.LY_PS_IPBL 316 | attributes: 317 | type: IPv4 318 | confidence: 40 319 | share_level: green 320 | ignore_regex: '^#' 321 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 322 | interval: 300 323 | age_out: 324 | default: null 325 | sudden_death: true 326 | class: minemeld.ft.http.HttpFT 327 | LY_DS_URLBL: 328 | author: MineMeld Core Team 329 | development_status: DEPRECATED 330 | node_type: miner 331 | indicator_types: 332 | - URL 333 | tags: 334 | - OSINT 335 | - ConfidenceHigh 336 | - ShareLevelGreen 337 | description: DEPRECATED. Locky Distribution Sites URLs 338 | config: 339 | source_name: ransomwaretracker.LY_DS_URLBL 340 | attributes: 341 | type: URL 342 | confidence: 100 343 | share_level: green 344 | ignore_regex: '^#' 345 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 346 | interval: 300 347 | age_out: 348 | default: null 349 | sudden_death: true 350 | class: minemeld.ft.http.HttpFT 351 | TL_C2_DOMBL: 352 | author: MineMeld Core Team 353 | development_status: DEPRECATED 354 | node_type: miner 355 | indicator_types: 356 | - domain 357 | tags: 358 | - OSINT 359 | - ConfidenceHigh 360 | - ShareLevelGreen 361 | description: DEPRECATED. TorrentLocker C2 domains 362 | config: 363 | source_name: ransomwaretracker.TL_C2_DOMBL 364 | attributes: 365 | type: domain 366 | confidence: 100 367 | share_level: green 368 | ignore_regex: '^#' 369 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 370 | interval: 300 371 | age_out: 372 | default: null 373 | sudden_death: true 374 | class: minemeld.ft.http.HttpFT 375 | TL_C2_IPBL: 376 | author: MineMeld Core Team 377 | development_status: DEPRECATED 378 | node_type: miner 379 | indicator_types: 380 | - IPv4 381 | tags: 382 | - OSINT 383 | - ConfidenceMedium 384 | - ShareLevelGreen 385 | - DirectionOutbound 386 | description: DEPRECATED. TorrentLocker C2 IPs 387 | config: 388 | source_name: ransomwaretracker.TL_C2_IPBL 389 | attributes: 390 | type: IPv4 391 | confidence: 70 392 | share_level: green 393 | direction: outbound 394 | ignore_regex: '^#' 395 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 396 | interval: 300 397 | age_out: 398 | default: null 399 | sudden_death: true 400 | class: minemeld.ft.http.HttpFT 401 | TL_PS_DOMBL: 402 | author: MineMeld Core Team 403 | development_status: DEPRECATED 404 | node_type: miner 405 | indicator_types: 406 | - domain 407 | tags: 408 | - OSINT 409 | - ConfidenceHigh 410 | - ShareLevelGreen 411 | description: DEPRECATED. TorrentLocker Payment Sites domains 412 | config: 413 | source_name: ransomwaretracker.TL_PS_DOMBL 414 | attributes: 415 | type: domain 416 | confidence: 100 417 | share_level: green 418 | ignore_regex: '^#' 419 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 420 | interval: 300 421 | age_out: 422 | default: null 423 | sudden_death: true 424 | class: minemeld.ft.http.HttpFT 425 | TL_PS_IPBL: 426 | author: MineMeld Core Team 427 | development_status: DEPRECATED 428 | node_type: miner 429 | indicator_types: 430 | - IPv4 431 | tags: 432 | - OSINT 433 | - ConfidenceMedium 434 | - ShareLevelGreen 435 | - DirectionOutbound 436 | description: DEPRECATED. TorrentLocker Payment Sites IPs 437 | config: 438 | source_name: ransomwaretracker.TL_PS_IPBL 439 | attributes: 440 | type: IPv4 441 | confidence: 70 442 | share_level: green 443 | direction: outbound 444 | ignore_regex: '^#' 445 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 446 | interval: 300 447 | age_out: 448 | default: null 449 | sudden_death: true 450 | class: minemeld.ft.http.HttpFT 451 | RW_DOMBL: 452 | author: MineMeld Core Team 453 | development_status: DEPRECATED 454 | node_type: miner 455 | indicator_types: 456 | - domain 457 | tags: 458 | - OSINT 459 | - ConfidenceHigh 460 | - ShareLevelGreen 461 | description: DEPRECATED. Combined Ransomware domains 462 | config: 463 | source_name: ransomwaretracker.RW_DOMBL 464 | attributes: 465 | type: domain 466 | confidence: 100 467 | share_level: green 468 | ignore_regex: '^#' 469 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 470 | interval: 300 471 | age_out: 472 | default: null 473 | sudden_death: true 474 | class: minemeld.ft.http.HttpFT 475 | RW_URLBL: 476 | author: MineMeld Core Team 477 | development_status: DEPRECATED 478 | node_type: miner 479 | indicator_types: 480 | - URL 481 | tags: 482 | - OSINT 483 | - ConfidenceHigh 484 | - ShareLevelGreen 485 | description: DEPRECATED. Combined Ransomware URLs 486 | config: 487 | source_name: ransomwaretracker.RW_URLBL 488 | attributes: 489 | type: URL 490 | confidence: 100 491 | share_level: green 492 | ignore_regex: '^#' 493 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 494 | interval: 300 495 | age_out: 496 | default: null 497 | sudden_death: true 498 | class: minemeld.ft.http.HttpFT 499 | RW_IPBL: 500 | author: MineMeld Core Team 501 | development_status: DEPRECATED 502 | node_type: miner 503 | indicator_types: 504 | - IPv4 505 | tags: 506 | - OSINT 507 | - ConfidenceMedium 508 | - ShareLevelGreen 509 | - DirectionOutbound 510 | description: DEPRECATED. Combined Ransomware IPs 511 | config: 512 | source_name: ransomwaretracker.RW_IPBL 513 | attributes: 514 | type: IPv4 515 | confidence: 70 516 | share_level: green 517 | direction: outbound 518 | ignore_regex: '^#' 519 | url: https://minemeld-updates.panw.io/deprecated-feed.txt 520 | interval: 300 521 | age_out: 522 | default: null 523 | sudden_death: true 524 | class: minemeld.ft.http.HttpFT 525 | -------------------------------------------------------------------------------- /prototypes/o365-api.yml: -------------------------------------------------------------------------------- 1 | url: 'https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a#ID0EACAAA=4._Web_service' 2 | description: > 3 | Prototypes for working with the O365 API. 4 | 5 | prototypes: 6 | worldwide-any: 7 | author: MineMeld Core Team 8 | development_status: STABLE 9 | node_type: miner 10 | indicator_types: 11 | - URL 12 | - IPv6 13 | - IPv4 14 | tags: 15 | - ShareLevelGreen 16 | - ConfidenceHigh 17 | description: > 18 | Endpoints for O365, worldwide instance, any service 19 | class: minemeld.ft.o365.O365API 20 | config: 21 | instance: Worldwide 22 | service_areas: null 23 | age_out: 24 | default: null 25 | sudden_death: true 26 | interval: 1800 27 | attributes: 28 | confidence: 100 29 | share_level: green 30 | worldwide-common: 31 | author: MineMeld Core Team 32 | development_status: STABLE 33 | node_type: miner 34 | indicator_types: 35 | - URL 36 | - IPv6 37 | - IPv4 38 | tags: 39 | - ShareLevelGreen 40 | - ConfidenceHigh 41 | description: > 42 | Endpoints for O365, worldwide instance, Common endpoints 43 | class: minemeld.ft.o365.O365API 44 | config: 45 | instance: Worldwide 46 | service_areas: 47 | - Common 48 | age_out: 49 | default: null 50 | sudden_death: true 51 | interval: 1800 52 | attributes: 53 | confidence: 100 54 | share_level: green 55 | worldwide-skype: 56 | author: MineMeld Core Team 57 | development_status: STABLE 58 | node_type: miner 59 | indicator_types: 60 | - URL 61 | - IPv6 62 | - IPv4 63 | tags: 64 | - ShareLevelGreen 65 | - ConfidenceHigh 66 | description: > 67 | Endpoints for O365, worldwide instance, Skype service 68 | class: minemeld.ft.o365.O365API 69 | config: 70 | instance: Worldwide 71 | service_areas: 72 | - Skype 73 | age_out: 74 | default: null 75 | sudden_death: true 76 | interval: 1800 77 | attributes: 78 | confidence: 100 79 | share_level: green 80 | worldwide-exchange: 81 | author: MineMeld Core Team 82 | development_status: STABLE 83 | node_type: miner 84 | indicator_types: 85 | - URL 86 | - IPv6 87 | - IPv4 88 | tags: 89 | - ShareLevelGreen 90 | - ConfidenceHigh 91 | description: > 92 | Endpoints for O365, worldwide instance, Exchange service 93 | class: minemeld.ft.o365.O365API 94 | config: 95 | instance: Worldwide 96 | service_areas: 97 | - Exchange 98 | age_out: 99 | default: null 100 | sudden_death: true 101 | interval: 1800 102 | attributes: 103 | confidence: 100 104 | share_level: green 105 | worldwide-sharepoint: 106 | author: MineMeld Core Team 107 | development_status: STABLE 108 | node_type: miner 109 | indicator_types: 110 | - URL 111 | - IPv6 112 | - IPv4 113 | tags: 114 | - ShareLevelGreen 115 | - ConfidenceHigh 116 | description: > 117 | Endpoints for O365, worldwide instance, SharePoint service 118 | class: minemeld.ft.o365.O365API 119 | config: 120 | instance: Worldwide 121 | service_areas: 122 | - SharePoint 123 | age_out: 124 | default: null 125 | sudden_death: true 126 | interval: 1800 127 | attributes: 128 | confidence: 100 129 | share_level: green 130 | china-any: 131 | author: MineMeld Core Team 132 | development_status: STABLE 133 | node_type: miner 134 | indicator_types: 135 | - URL 136 | - IPv6 137 | - IPv4 138 | tags: 139 | - ShareLevelGreen 140 | - ConfidenceHigh 141 | description: > 142 | Endpoints for O365, China instance, any service 143 | class: minemeld.ft.o365.O365API 144 | config: 145 | instance: China 146 | service_areas: null 147 | age_out: 148 | default: null 149 | sudden_death: true 150 | interval: 1800 151 | attributes: 152 | confidence: 100 153 | share_level: green 154 | china-common: 155 | author: MineMeld Core Team 156 | development_status: STABLE 157 | node_type: miner 158 | indicator_types: 159 | - URL 160 | - IPv6 161 | - IPv4 162 | tags: 163 | - ShareLevelGreen 164 | - ConfidenceHigh 165 | description: > 166 | Endpoints for O365, China instance, Common endpoints 167 | class: minemeld.ft.o365.O365API 168 | config: 169 | instance: China 170 | service_areas: 171 | - Common 172 | age_out: 173 | default: null 174 | sudden_death: true 175 | interval: 1800 176 | attributes: 177 | confidence: 100 178 | share_level: green 179 | china-skype: 180 | author: MineMeld Core Team 181 | development_status: STABLE 182 | node_type: miner 183 | indicator_types: 184 | - URL 185 | - IPv6 186 | - IPv4 187 | tags: 188 | - ShareLevelGreen 189 | - ConfidenceHigh 190 | description: > 191 | Endpoints for O365, China instance, Skype service 192 | class: minemeld.ft.o365.O365API 193 | config: 194 | instance: China 195 | service_areas: 196 | - Skype 197 | age_out: 198 | default: null 199 | sudden_death: true 200 | interval: 1800 201 | attributes: 202 | confidence: 100 203 | share_level: green 204 | china-exchange: 205 | author: MineMeld Core Team 206 | development_status: STABLE 207 | node_type: miner 208 | indicator_types: 209 | - URL 210 | - IPv6 211 | - IPv4 212 | tags: 213 | - ShareLevelGreen 214 | - ConfidenceHigh 215 | description: > 216 | Endpoints for O365, China instance, Exchange service 217 | class: minemeld.ft.o365.O365API 218 | config: 219 | instance: China 220 | service_areas: 221 | - Exchange 222 | age_out: 223 | default: null 224 | sudden_death: true 225 | interval: 1800 226 | attributes: 227 | confidence: 100 228 | share_level: green 229 | china-sharepoint: 230 | author: MineMeld Core Team 231 | development_status: STABLE 232 | node_type: miner 233 | indicator_types: 234 | - URL 235 | - IPv6 236 | - IPv4 237 | tags: 238 | - ShareLevelGreen 239 | - ConfidenceHigh 240 | description: > 241 | Endpoints for O365, China instance, SharePoint service 242 | class: minemeld.ft.o365.O365API 243 | config: 244 | instance: China 245 | service_areas: 246 | - SharePoint 247 | age_out: 248 | default: null 249 | sudden_death: true 250 | interval: 1800 251 | attributes: 252 | confidence: 100 253 | share_level: green 254 | germany-any: 255 | author: MineMeld Core Team 256 | development_status: STABLE 257 | node_type: miner 258 | indicator_types: 259 | - URL 260 | - IPv6 261 | - IPv4 262 | tags: 263 | - ShareLevelGreen 264 | - ConfidenceHigh 265 | description: > 266 | Endpoints for O365, Germany instance, any service 267 | class: minemeld.ft.o365.O365API 268 | config: 269 | instance: Germany 270 | service_areas: null 271 | age_out: 272 | default: null 273 | sudden_death: true 274 | interval: 1800 275 | attributes: 276 | confidence: 100 277 | share_level: green 278 | germany-common: 279 | author: MineMeld Core Team 280 | development_status: STABLE 281 | node_type: miner 282 | indicator_types: 283 | - URL 284 | - IPv6 285 | - IPv4 286 | tags: 287 | - ShareLevelGreen 288 | - ConfidenceHigh 289 | description: > 290 | Endpoints for O365, Germany instance, Common endpoints 291 | class: minemeld.ft.o365.O365API 292 | config: 293 | instance: Germany 294 | service_areas: 295 | - Common 296 | age_out: 297 | default: null 298 | sudden_death: true 299 | interval: 1800 300 | attributes: 301 | confidence: 100 302 | share_level: green 303 | germany-skype: 304 | author: MineMeld Core Team 305 | development_status: STABLE 306 | node_type: miner 307 | indicator_types: 308 | - URL 309 | - IPv6 310 | - IPv4 311 | tags: 312 | - ShareLevelGreen 313 | - ConfidenceHigh 314 | description: > 315 | Endpoints for O365, Germany instance, Skype service 316 | class: minemeld.ft.o365.O365API 317 | config: 318 | instance: Germany 319 | service_areas: 320 | - Skype 321 | age_out: 322 | default: null 323 | sudden_death: true 324 | interval: 1800 325 | attributes: 326 | confidence: 100 327 | share_level: green 328 | germany-exchange: 329 | author: MineMeld Core Team 330 | development_status: STABLE 331 | node_type: miner 332 | indicator_types: 333 | - URL 334 | - IPv6 335 | - IPv4 336 | tags: 337 | - ShareLevelGreen 338 | - ConfidenceHigh 339 | description: > 340 | Endpoints for O365, Germany instance, Exchange service 341 | class: minemeld.ft.o365.O365API 342 | config: 343 | instance: Germany 344 | service_areas: 345 | - Exchange 346 | age_out: 347 | default: null 348 | sudden_death: true 349 | interval: 1800 350 | attributes: 351 | confidence: 100 352 | share_level: green 353 | germany-sharepoint: 354 | author: MineMeld Core Team 355 | development_status: STABLE 356 | node_type: miner 357 | indicator_types: 358 | - URL 359 | - IPv6 360 | - IPv4 361 | tags: 362 | - ShareLevelGreen 363 | - ConfidenceHigh 364 | description: > 365 | Endpoints for O365, Germany instance, SharePoint service 366 | class: minemeld.ft.o365.O365API 367 | config: 368 | instance: Germany 369 | service_areas: 370 | - SharePoint 371 | age_out: 372 | default: null 373 | sudden_death: true 374 | interval: 1800 375 | attributes: 376 | confidence: 100 377 | share_level: green 378 | usgovdod-any: 379 | author: MineMeld Core Team 380 | development_status: STABLE 381 | node_type: miner 382 | indicator_types: 383 | - URL 384 | - IPv6 385 | - IPv4 386 | tags: 387 | - ShareLevelGreen 388 | - ConfidenceHigh 389 | description: > 390 | Endpoints for O365, USGovDoD instance, any service 391 | class: minemeld.ft.o365.O365API 392 | config: 393 | instance: USGovDoD 394 | service_areas: null 395 | age_out: 396 | default: null 397 | sudden_death: true 398 | interval: 1800 399 | attributes: 400 | confidence: 100 401 | share_level: green 402 | usgovdod-common: 403 | author: MineMeld Core Team 404 | development_status: STABLE 405 | node_type: miner 406 | indicator_types: 407 | - URL 408 | - IPv6 409 | - IPv4 410 | tags: 411 | - ShareLevelGreen 412 | - ConfidenceHigh 413 | description: > 414 | Endpoints for O365, USGovDoD instance, Common endpoints 415 | class: minemeld.ft.o365.O365API 416 | config: 417 | instance: USGovDoD 418 | service_areas: 419 | - Common 420 | age_out: 421 | default: null 422 | sudden_death: true 423 | interval: 1800 424 | attributes: 425 | confidence: 100 426 | share_level: green 427 | usgovdod-skype: 428 | author: MineMeld Core Team 429 | development_status: STABLE 430 | node_type: miner 431 | indicator_types: 432 | - URL 433 | - IPv6 434 | - IPv4 435 | tags: 436 | - ShareLevelGreen 437 | - ConfidenceHigh 438 | description: > 439 | Endpoints for O365, USGovDoD instance, Skype service 440 | class: minemeld.ft.o365.O365API 441 | config: 442 | instance: USGovDoD 443 | service_areas: 444 | - Skype 445 | age_out: 446 | default: null 447 | sudden_death: true 448 | interval: 1800 449 | attributes: 450 | confidence: 100 451 | share_level: green 452 | usgovdod-exchange: 453 | author: MineMeld Core Team 454 | development_status: STABLE 455 | node_type: miner 456 | indicator_types: 457 | - URL 458 | - IPv6 459 | - IPv4 460 | tags: 461 | - ShareLevelGreen 462 | - ConfidenceHigh 463 | description: > 464 | Endpoints for O365, USGovDoD instance, Exchange service 465 | class: minemeld.ft.o365.O365API 466 | config: 467 | instance: USGovDoD 468 | service_areas: 469 | - Exchange 470 | age_out: 471 | default: null 472 | sudden_death: true 473 | interval: 1800 474 | attributes: 475 | confidence: 100 476 | share_level: green 477 | usgovdod-sharepoint: 478 | author: MineMeld Core Team 479 | development_status: STABLE 480 | node_type: miner 481 | indicator_types: 482 | - URL 483 | - IPv6 484 | - IPv4 485 | tags: 486 | - ShareLevelGreen 487 | - ConfidenceHigh 488 | description: > 489 | Endpoints for O365, USGovDoD instance, SharePoint service 490 | class: minemeld.ft.o365.O365API 491 | config: 492 | instance: USGovDoD 493 | service_areas: 494 | - SharePoint 495 | age_out: 496 | default: null 497 | sudden_death: true 498 | interval: 1800 499 | attributes: 500 | confidence: 100 501 | share_level: green 502 | usgovgcchigh-any: 503 | author: MineMeld Core Team 504 | development_status: STABLE 505 | node_type: miner 506 | indicator_types: 507 | - URL 508 | - IPv6 509 | - IPv4 510 | tags: 511 | - ShareLevelGreen 512 | - ConfidenceHigh 513 | description: > 514 | Endpoints for O365, USGovGCCHigh instance, any service 515 | class: minemeld.ft.o365.O365API 516 | config: 517 | instance: USGovGCCHigh 518 | service_areas: null 519 | age_out: 520 | default: null 521 | sudden_death: true 522 | interval: 1800 523 | attributes: 524 | confidence: 100 525 | share_level: green 526 | usgovgcchigh-common: 527 | author: MineMeld Core Team 528 | development_status: STABLE 529 | node_type: miner 530 | indicator_types: 531 | - URL 532 | - IPv6 533 | - IPv4 534 | tags: 535 | - ShareLevelGreen 536 | - ConfidenceHigh 537 | description: > 538 | Endpoints for O365, USGovGCCHigh instance, Common endpoints 539 | class: minemeld.ft.o365.O365API 540 | config: 541 | instance: USGovGCCHigh 542 | service_areas: 543 | - Common 544 | age_out: 545 | default: null 546 | sudden_death: true 547 | interval: 1800 548 | attributes: 549 | confidence: 100 550 | share_level: green 551 | usgovgcchigh-skype: 552 | author: MineMeld Core Team 553 | development_status: STABLE 554 | node_type: miner 555 | indicator_types: 556 | - URL 557 | - IPv6 558 | - IPv4 559 | tags: 560 | - ShareLevelGreen 561 | - ConfidenceHigh 562 | description: > 563 | Endpoints for O365, USGovGCCHigh instance, Skype service 564 | class: minemeld.ft.o365.O365API 565 | config: 566 | instance: USGovGCCHigh 567 | service_areas: 568 | - Skype 569 | age_out: 570 | default: null 571 | sudden_death: true 572 | interval: 1800 573 | attributes: 574 | confidence: 100 575 | share_level: green 576 | usgovgcchigh-exchange: 577 | author: MineMeld Core Team 578 | development_status: STABLE 579 | node_type: miner 580 | indicator_types: 581 | - URL 582 | - IPv6 583 | - IPv4 584 | tags: 585 | - ShareLevelGreen 586 | - ConfidenceHigh 587 | description: > 588 | Endpoints for O365, USGovGCCHigh instance, Exchange service 589 | class: minemeld.ft.o365.O365API 590 | config: 591 | instance: USGovGCCHigh 592 | service_areas: 593 | - Exchange 594 | age_out: 595 | default: null 596 | sudden_death: true 597 | interval: 1800 598 | attributes: 599 | confidence: 100 600 | share_level: green 601 | usgovgcchigh-sharepoint: 602 | author: MineMeld Core Team 603 | development_status: STABLE 604 | node_type: miner 605 | indicator_types: 606 | - URL 607 | - IPv6 608 | - IPv4 609 | tags: 610 | - ShareLevelGreen 611 | - ConfidenceHigh 612 | description: > 613 | Endpoints for O365, USGovGCCHigh instance, SharePoint service 614 | class: minemeld.ft.o365.O365API 615 | config: 616 | instance: USGovGCCHigh 617 | service_areas: 618 | - SharePoint 619 | age_out: 620 | default: null 621 | sudden_death: true 622 | interval: 1800 623 | attributes: 624 | confidence: 100 625 | share_level: green 626 | feed-no-3rdparty: 627 | author: MineMeld Core Team 628 | development_status: DEPRECATED 629 | node_type: output 630 | indicator_types: [ any ] 631 | tags: 632 | - ConfidenceHigh 633 | - ShareLevelGreen 634 | description: > 635 | EDL for O365 URLs and IPs excluding 3rd party integrations. 636 | Deprecated, disable integrations on the Miner instead 637 | class: minemeld.ft.redis.RedisSet 638 | config: 639 | infilters: 640 | - name: drop integrations 641 | conditions: 642 | - contains(o365_notes, 'integration') == true 643 | actions: 644 | - drop 645 | - name: accept withdraws 646 | conditions: 647 | - __method == 'withdraw' 648 | actions: 649 | - accept 650 | - name: accept confidence > 75 and share level green 651 | conditions: 652 | - confidence > 75 653 | - share_level == 'green' 654 | actions: 655 | - accept 656 | - name: drop all 657 | actions: 658 | - drop 659 | --------------------------------------------------------------------------------