Top-100 Malicious IP STIX Feed

Top-100 Malicious IP STIX Feed
Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner. The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified) $ curl https://isc.sans.edu/api/topips/records/100 <?xml version="1.0" encoding="UTF-8"?> <topips> <ipaddress> <rank>1</rank> <source>046.101.124.074</source> <reports>132723</reports> <targets>110</targets> </ipaddress><ipaddress> <rank>2</rank> <source>130.211.015.150</source> <reports>21166</reports> <targets>4474</targets> </ipaddress><ipaddress> ... </ipaddress> You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them? Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format: <stix:STIX_Package xmlns:stix="http://stix.mitre.org/stix-1" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:example="http://example.com" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:xlink="http://www.w3.org/1999/xlink" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> <stix:STIX_Header/> <stix:Indicators> <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'> <indicator:Title>SANS ISC Malicious IP</indicator:Title> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type> <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266"> <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470"> <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr"> <AddressObj:Address_Value>46.101.124.74</AddressObj:Address_Value> </cybox:Properties> </cybox:Object> </indicator:Observable> </stix:Indicator> </stix:Indicators> </stix:STIX_Package> The script is available in my GitHub repository[4]. If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements. [1] https://stixproject.github.io/ [2] https://isc.sans.edu/api/ [3] https://github.com/STIXProject/python-stix [4] https://github.com/xme/toolbox/blob/master/isc2stix.py [5] https://misp.truesec.be/isc-top-100-stix.xml Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Paris March 2021	Xme 579 Posts ISC Handler Nov 17th 2017
Thread locked Subscribe	Nov 17th 2017 3 years ago
This worked great! I am able to pop the URL directly into my intelligence feeds with no issue at all. Thank you for the quick response to my original ask!	chrisl1977 6 Posts
Quote	Nov 17th 2017 3 years ago
This is great - thanks for making this data available in STIX. Your STIX looks good, the only change I would suggest making is adding the "condition" attribute to the IP address value: > ip.condition = "Equals" Otherwise, I would suggest also making this available in the new STIX 2.0 JSON format. You can use the cti-stix-elevator utility to do this, which takes as input a STIX 1.2 XML file: https://github.com/oasis-open/cti-stix-elevator Regards, Ivan	ikiril01 2 Posts
Quote	Nov 20th 2017 3 years ago
Thank you for your feedback, Ivan! I'll have a look at this and update the feed. I'm not a STIX guru	Xme 579 Posts ISC Handler
Quote	Nov 21st 2017 3 years ago
Changes completed. There are two feeds available now: misp.truesec.be/… (STIX 1.2) misp.truesec.be/… (STIX 2.0) Let me know if it works for you...	Xme 579 Posts ISC Handler
Quote	Nov 21st 2017 3 years ago
Awesome! The updated STIX 1.2 feed looks great, as does the STIX 2.0 feed (thanks for adding it!).	ikiril01 2 Posts
Quote	Nov 28th 2017 3 years ago

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)

$ curl https://isc.sans.edu/api/topips/records/100
<?xml version="1.0" encoding="UTF-8"?>
<topips>
<ipaddress>
<rank>1</rank>
<source>046.101.124.074</source>
<reports>132723</reports>
<targets>110</targets>
</ipaddress><ipaddress>
<rank>2</rank>
<source>130.211.015.150</source>
<reports>21166</reports>
<targets>4474</targets>
</ipaddress><ipaddress>
...
</ipaddress>

You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?

Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:

<stix:STIX_Package
  xmlns:stix="http://stix.mitre.org/stix-1" 
  xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" 
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" 
  xmlns:cybox="http://cybox.mitre.org/cybox-2" 
  xmlns:indicator="http://stix.mitre.org/Indicator-2" 
  xmlns:xs="http://www.w3.org/2001/XMLSchema" 
  xmlns:stixCommon="http://stix.mitre.org/common-1" 
  xmlns:example="http://example.com" 
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2" 
  xmlns:xlink="http://www.w3.org/1999/xlink" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> 
  <stix:STIX_Header/>
    <stix:Indicators>
      <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'>
        <indicator:Title>SANS ISC Malicious IP</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266">
          <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
              <AddressObj:Address_Value>46.101.124.74</AddressObj:Address_Value>
            </cybox:Properties>
          </cybox:Object>
       </indicator:Observable>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>

The script is available in my GitHub repository[4].

If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements.

[1] https://stixproject.github.io/
[2] https://isc.sans.edu/api/
[3] https://github.com/STIXProject/python-stix
[4] https://github.com/xme/toolbox/blob/master/isc2stix.py
[5] https://misp.truesec.be/isc-top-100-stix.xml

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Paris March 2021

Xme

579 Posts
ISC Handler

Nov 17th 2017

This worked great! I am able to pop the URL directly into my intelligence feeds with no issue at all.

Thank you for the quick response to my original ask!

chrisl1977

6 Posts

This is great - thanks for making this data available in STIX. Your STIX looks good, the only change I would suggest making is adding the "condition" attribute to the IP address value:

> ip.condition = "Equals"

Otherwise, I would suggest also making this available in the new STIX 2.0 JSON format. You can use the cti-stix-elevator utility to do this, which takes as input a STIX 1.2 XML file: https://github.com/oasis-open/cti-stix-elevator

Regards,
Ivan

ikiril01