Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds

Zeek-Formatted Threat Intelligence Feeds
https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds

malware phishing threat-intelligence threatintel zeek zeek-ids

Last synced: 9 days ago
JSON representation

Zeek-Formatted Threat Intelligence Feeds

Host: GitHub
URL: https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds
Owner: CriticalPathSecurity
License: mit
Created: 2020-08-20T13:13:32.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2024-10-29T10:17:22.000Z (3 months ago)
Last Synced: 2024-10-29T11:07:09.493Z (3 months ago)
Topics: malware, phishing, threat-intelligence, threatintel, zeek, zeek-ids
Language: Zeek
Homepage:
Size: 10.3 MB
Stars: 341
Watchers: 14
Forks: 47
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        


[![Critical Path Security Logo](https://www.criticalpathsecurity.com/wp-content/uploads/2020/09/CPS-LOGO-RESIZE.png)](https:://www.criticalpathsecurity.com)



# Zeek Intel Threat Feed w/ Combined Indicators

This is a public feed based on Public Threat Feeds and CRITICAL PATH SECURITY gathered data.

This feed will be updated as often as possible.

## Getting Started

These instructions will get you a copy of the project up and running.

### Dependencies

* ZEEK 3.0 or greater

### Installing

Install Zeek Dependencies

```

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

```

Clone the repository into `/opt`

```

cd /opt

git clone --recursive https://github.com/zeek/zeek

./configure && make && sudo make install

```

Install Zeek

```

./configure && make && sudo make install

```

## Install the Threat Intelligence Feeds

Clone the repository into `/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds`

```

cd /opt

git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds

echo "@load Zeek-Intelligence-Feeds" >> /usr/local/zeek/share/zeek/site/local.zeek

```

## Usage

Navigate to `/usr/local/zeek/bin/`

```

./zeekctl deploy

```

### Scheduling Updates

A simple bash script can be used for updates.  An example is shown below.

```

vi /opt/zeek_update.sh

```

Add the following:

```

#!/bin/sh

cd /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds && git fetch origin master

git reset --hard FETCH_HEAD

git clean -df

```

Make the script executable.

```

chmod +x /opt/zeek_update.sh

```

Make the following cron entry for 24 hour updates.

```

5 * * * * sh /opt/zeek_update.sh >/dev/null 2>&1

```

Logs will be written to:

```

/usr/local/zeek/logs/current/intel.log

```

Sources:

Filename | Provider  | Homepage                         | List URL                       | License/TOU                      |

|-----------|-----------|----------------------------------|--------------------------------|----------------------------------|

| Amnesty_NSO_Domains.intel | Amnesty NSO Domains | https://github.com/AmnestyTech/investigations | https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso | Not Defined |

| abuse-ch-ipblocklist.intel | Abuse.CH Blacklist | https://sslbl.abuse.ch/blacklist/ | https://sslbl.abuse.ch/blacklist/ | https://sslbl.abuse.ch/blacklist/ |

| abuse-ch-malware.intel | Abuse.CH Malware | https://bazaar.abuse.ch/ | https://bazaar.abuse.ch/ | https://bazaar.abuse.ch/ |

| abuse-ch-threatfox-ip.intel | Abuse.CH ThreatFox | https://threatfox.abuse.ch/ | https://threatfox.abuse.ch/ | https://threatfox.abuse.ch/ |

| abuse-ch-urlhaus.intel | Abuse.CH URLHaus | https://urlhaus.abuse.ch/ | https://urlhaus.abuse.ch/ | https://urlhaus.abuse.ch/ |

| alienvault.intel | AlienVault | https://www.alienvault.com/ | http://reputation.alienvault.com/reputation.data | https://otx.alienvault.com/ |

| binarydefense.intel | Binary Defense | https://www.binarydefense.com/ | https://www.binarydefense.com/banlist.txt | https://www.binarydefense.com/ |

| censys.intel | Censys | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| cobaltstrike_ips.intel | CobaltStrike IP | https://threatview.io/ | https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt | https://threatview.io/ |

| compromised-ips.intel | Emerging Threats | https://rules.emergingthreats.net/ | https://rules.emergingthreats.net/blockrules/compromised-ips.txt | https://rules.emergingthreats.net/OPEN_download_instructions.html |

| cps-collected-iocs.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| cps_cobaltstrike_domain.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| cps_cobaltstrike_ip.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| ellio.intel | Ellio Tech | https://www.ellio.tech | https://www.ellio.tech  | https://www.ellio.tech  |

| fangxiao.intel | Cyjax | https://www.cyjax.com/ | https://www.cyjax.com/app/uploads/2022/11/fangxiao-a-chinese-threat-actor.txt | https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/ |

| filetransferportals.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| illuminate.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| inversion.intel | Google / Inversion | https://github.com/elliotwutingfeng/Inversion-DNSBL-Blocklists | Github | https://github.com/elliotwutingfeng/Inversion-DNSBL-Blocklists/blob/main/LICENSE |

| lockbit_ip.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| log4j_ip.intel | Multiple Sources | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| openphish.intel | OpenPhish | https://openphish.com | https://openphish.com/feed.txt | https://openphish.com/terms.html |

| predict_intel.intel | Georgia Tech Research Institute (GTRI) | https://www.gatech.edu/ | https://www.gatech.edu/ | https://www.gatech.edu/ |

| ragnar.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| sans.intel | SANS | https://isc.sans.edu/ | https://isc.sans.edu/api/intelfeed | https://isc.sans.edu/data/threatfeed.html |

| scumbots.intel | ScumBots | None | None | Permission given by Paul Melson - Free Usage |

| stalkerware.intel | Critical Path Security | https://www.criticalpathsecurity.com/ | Github | https://www.criticalpathsecurity.com/ |

| tor-exit.intel | Tor Project | https://www.torproject.org/ | https://check.torproject.org/exit-addresses | https://www.torproject.org/ |

Sat Jan 18 04:18:53 UTC 2025