Feeds
Virus total
VirusTotal – VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API.
As with files, URLs can be submitted via several different means including the VirusTotal webpage, browser extensions and the API.
Upon submitting a file or URL basic results are shared with the submitter, and also between the examining partners, who use results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.
This core analysis is also the basis for several other features, including the VirusTotal Community: a network that allows users to comment on files and URLs and share notes with each other. VirusTotal can be useful in detecting malicious content and also in identifying false positives – normal and harmless items detected as malicious by one or more scanners.
Available methods:
Shodan
Shodan – Technically, Shodan can be classified as a port scanner that searches public IP ranges and indexes data such as banners obtained (e.g., the Server response header received with the response to an HTTP request), SSL certificate information, geographic location, operating system or potential vulnerabilities. The search of public IP addresses is done randomly. IP addresses and ports to be scanned are randomized to get the most coverage and no predictable scanning order.
The main information you can see in Shodan when displaying details for an IP address of interest is geographic location, technology information, a list of open ports and available services, and banners for those services. Each service exposed to the Internet on a network device has a port assigned to it.
Available methods:
Censys
Censys – Censys is a search engine for information about any device connected to the Internet. Servers, home routers and even cars - all devices connected to the global network are scanned and analyzed daily.
Censys is a service largely similar to Shodan. However, the new search engine for Internet-connected hosts has several important advantages. First, it is completely free, while Shodan is becoming increasingly commercial. Second, the database of Internet-connected devices is more up-to-date and contains a lot of unique information.
Censys is powered by data from daily scans of the entire range of IPv4 address space. ZMap and ZGrab tools were used. The former scans addresses, while the latter, for active hosts, extracts more advanced information about individual network services. A scan of the entire IPv4 Internet takes only a few hours.
Available methods:
MISP
MISP – misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes. The warning lists are integrated in MISP to display an info/warning box at the event and attribute level if such indicators are available in one of the list. The lists are also used to filter potential false-positive at API level. The list can be globally enabled or disabled in MISP following the practices of the organization. The warning lists are reused in many other open source projects.
Available methods:
SSLBL
SSLBL – The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.
Available methods:
AlienVault
AlienVault – AlienVault Open Threat Exchange is an open community that allows participants to learn about the latest threats, research indicators of compromise observed in their environments, share threats they have identified, and automatically update their security infrastructure with the latest indicators to defend their environment.
OTX Direct Connect agents provide a way to automatically update your security infrastructure with pulses you have subscribed to from with Open Threat Exchange. By using Direct Connect, the indicators contained within the pulses you have subscribed to can be downloaded and made locally available for other applications such as Intrusion Detection Systems, Firewalls, and other security-focused applications.
OTX Direct Connect provides a mechanism to automatically pull indicators of compromise from the Open Threat Exchange portal into your environment. The DirectConnect API provides access to all Pulses that you have subscribed to in Open Threat Exchange (https://otx.alienvault.com).
Available methods:
Spamhaus
Spamhaus – Spamhaus analyzes large amounts of data and compiles a list of Internet resources that have a bad reputation due to their association with malicious activity. Internet resources refer to domains, IP addresses, email addresses, cryptocurrency wallet addresses and malware files.
Malicious activities include all kinds of phishing, ransomware, malware and spam. According to Spamhaus, “spam” means any message sent in bulk and unsolicited. In a 24-hour period, Spamhaus evaluates and processes about three million domains, four billion SMTP connections and about eighteen thousand malware samples. IT and security specialists use lists of domains and IP addresses analyzed by Spamhaus
Available methods:
TOR
TOR - TOR is free software for enabling anonymous communication. The name is derived from the acronym for the original software project: “The Onion Router”. TOR Exit Nodes are specific gateways where encrypted TOR traffic hits the Internet.
This module compare IP adress with a full list of the active TOR exit nodes as reported by torproject.org.
Available methods:
