MISP Feeds

What are MISP Feeds?

MISP feeds are threat intelligence sources that can be automatically pulled into MISP.

Feeds provide structured information about threats, including IoCs, data about vulnerabilities, and malware reports. They can be automatically sent to connected systems, such as SIEM tools, or manually reviewed by security analysts.

Feeds are one of the things that makes MISP so powerful. They allow your organisation to benefit from the work of thousands of analysts in the security community, and receive information about newly discovered threats in real-time.

Where can I find MISP Feeds?

There are three main types of MISP feeds available:

1. Open threat intelligence feeds. Publicly maintained feeds that are accessible to anyone in the security community. Many of the most popular OSINT feeds are included in MISP by default.

2. Commercial feeds. These feeds must be commercially licensed and are created or collated by private security researchers.

3. Custom feeds. Custom MISP feeds are created for a specific purpose and tailored to the needs of the recipient.

How do I enable MISP Feeds?

MISP includes over 50 pre-configured OSINT feeds by default. To enable some or all of these, navigate to Sync Actions > Feeds. Above the list of feeds, click the 'Default feeds' tab. From there, check the box beside any feeds you want to enable, and click the 'Enable selected' button that appears. Select 'Yes' in the popup window.

To actually start pulling in feed data from your newly enabled feeds, you'll need to click the 'Fetch and store all feed data' button.

This will trigger background jobs in MISP to pull in feed data. To view the progress of running jobs, navigate to Administration >Jobs. When the running jobs are complete, you can view the imported event data by navigating to Event Actions, then 'List Events'.

Open Threat Intelligence Feeds

MISP includes several dozen OSINT feeds out of the box. Here's a rundown of all of them and a summary of what they offer.

Command-and-Control (C2) Servers & Panels

DiamondFox panels
Publisher: Unit42 by Palo Alto Networks

A collection of command-and-control (C2) panels used in cybercriminal operations, specifically related to the management of various malware and cyber attack tools. These panels are often associated with the DiamondFox malware family, which is known for its capabilities in managing and deploying malicious software for various purposes, including data theft, credential harvesting, and other cybercriminal activities.‍

SSL Certificates

abuse.ch SSL IP Blacklist
Publisher: abuse.ch

The SSL Certificate Blacklist (CSV) is a file containing the SHA1 fingerprints of all SSL certificates that have been blacklisted on SSLBL. This CSV format is particularly useful for those who wish to process the blacklisted certificates further, such as importing them into a SIEM (Security Information and Event Management) system. The CSV includes the following data:

- Date of listing (in UTC)
- SHA1 fingerprint of the blacklisted SSL certificate
- Reason for the blacklist

Indicators of Compromise (IoCs) - Various Types

CIRCL OSINT Feed
Publisher: CIRCL

Aggregates IoCs from various open-source intelligence sources, including malware reports, phishing domains, and other threat intelligence platforms.

Cybercrime Tracker
Publisher: cybercrime-tracker.net
‍
IoCs related to cyber crime activities.

DigitalSide Threat-Intel OSINT Feed
Publisher: DigitalSide

A set of Open Source Cyber Threat Intelligence information, mostly based on malware analysis and compromised URLs, IPs and domains.

Malicious IP Addresses

AlienVault Reputation Generic
Publisher: LevelBlue (FKA AlienVault)
‍
The AlienVault Reputation Generic Feed is a threat intelligence feed provided by AlienVault (now part of AT&T Cybersecurity) as part of its Open Threat Exchange (OTX) platform. This feed includes IP addresses that have been identified as malicious based on various indicators such as malware distribution, phishing, command and control (C2) servers, and other suspicious activities.

CyberCure - IP Feed
Publisher: cybercure.ai
‍
The feed includes IP addresses flagged for activities such as hosting phishing sites, distributing malware, or participating in botnet operations.

Malicious Domains‍

All current domains belonging to known malicious DGAs
Publisher: Bambenek Consulting
‍
Provides a list of domains that are generated by algorithms typically used by malware for command and control (C2) purposes. DGAs create a large number of domain names that can be used by malware to evade detection and maintain connectivity to their operators.

Malicious Domains & IP Addresses

blocklist.de/lists/all.txt
Publisher: Blocklist.de

A text file that contains a comprehensive list of domains and IP addresses identified as sources of malware, spam, and other malicious activities.

blocklist.greensnow.co
Publisher: greensnow.co

A comprehensive blocklist of domains and IP addresses associated with malicious activities, including malware distribution and phishing attacks.

ci-badguys.txt
Publisher: The CINS Score
‍
The ci-badguys.txt file from cinsscore.com is a text-based blocklist that contains a list of IP addresses and domains associated with malicious activity.

Malicious URLs

CyberCure - Blocked URL Feed
Publisher: cybercure.ai
‍
The feed contains URLs that have been flagged for their association with cybercrime.

Intrusion Detection System (IDS) rules

ProofPoint Emerging Threats Rules
Publisher: ProofPoint
‍
Emerging Threats offers a range of rule sets, including those tailored for specific threat types, such as malware, botnets, and exploit kits. The rules can be integrated into security tools like Snort and Suricata, enabling automated detection and response to threats.

Malicious File Hashes

CyberCure Hash Feed
Publisher: cybercure.ai
‍
Provides a list of hash values (typically MD5, SHA1, or SHA256) associated with known malicious files and software.

This is a work in progress and more threat intelligence feeds will be added over time. Thanks for your patience!