Adding Feeds

Adding a feed doesn't necessarily require any programming experience. There are several collector and parser bots intended for general use. Depending on the data source you are trying to add as a feed, it might be only a matter of creating a working combination of collector bot (such as URL Fetcher) configuration and a parser bot (such as CSV parser) configuration. When you are satisfied with the configurations, add it to the intelmq/etc/feeds.yaml file using the following template and open a pull request!

<NAME OF THE FEED PROVIDER>:
    <NAME OF THE FEED>:
      description: <DESCRIPTION OF WHAT KIND OF DATA THE FEED PROVIDES>
      additional_information: <ANY ADDITIONAL INFORMATION>
      documentation: <FEED HOMEPAGE/DOCUMENTATION URL>
      revision: <DATE WHEN YOU ADDED THIS FEED>
      public: <TRUE/FALSE IF THE DATA SOURCE IS PUBLICLY AVAILABLE>
      bots:
        collector:
          module: <MODULE USED FOR THE COLLECTOR BOT>
          parameters:
            name: __FEED__ # KEEP AS IT IS
            provider: __PROVIDER__  # KEEP AS IT IS
            <ADDITIONAL COLLECTOR BOT PARAMETERS>
        parser:
          module: <MODULE USED FOR THE PARSER BOT>
          parameters:
            <ADDITIONAL PARSER BOT PARAMETERS>

If the data source utilizes some unusual way of distribution or uses a custom format for the data it might be necessary to develop specialized bot(s) for this particular data source. Always try to use existing bots before you start developing your own. Please also consider extending an existing bot if your use-case is close enough to it's features. If you are unsure which way to take, start an issue and you will receive guidance.

Feeds Wishlist

This is a list with potentially interesting data sources, which are either currently not supported or the usage is not clearly documented in IntelMQ. If you want to contribute new feeds to IntelMQ, this is a great place to start!

• Lists of feeds:
  • threatfeeds.io
  • TheCyberThreat
  • sbilly: Awesome Security
  • pannoniait:Backlists
  • hslatman:awesome-threat-intelligence
  • Zeek Intelligence Feeds
  • imuledx OSING feeds
• Some third party intelmq bots: NRDCS IntelMQ fork
• List of potentially interesting data sources:
  • Abuse.ch SSL Blacklists
  • AbuseIPDB
  • Adblock Plus
  • apivoid IP Reputation API
  • Anomali Limo Free Intel Feed
  • APWG's ecrimex
  • Avast Threat Intel IoCs of dark matter repository
  • Berkeley
  • Binary Defense
  • Bot Invaders Realtime tracker
  • Botherder Targetedthreats
  • Botscout Last Caught
  • botvrij
  • Carbon Black Feeds
  • CERT.pl Phishing Warning List
  • Chaos Reigns
  • Critical Stack
  • Cruzit
  • Cyber Crime Tracker
  • drb-ra C2IntelFeeds
  • DNS DB API
  • ESET Malware Indicators of Compromise
  • Facebook Threat Exchange
  • FilterLists
  • Firehol IPLists
  • Google Webmaster Alerts
  • GPF Comics DNS Blacklist
  • Greensnow
  • Greynoise
  • HP Feeds
  • IBM X-Force Exchange
  • ImproWare AntiSpam
  • ISightPartners
  • James Brine
  • Joewein
  • Maltrail:
    • Malware
    • Suspicious
    • Mass Scanners (for whitelisting)
  • Malshare
  • MalSilo Malware URLs
  • Malware Config
  • Malware DB (cert.pl)
  • MalwareInt
  • Malware Must Die
  • Manity Spam IP addresses
  • Marc Blanchard DGA Domains
  • MaxMind Proxies
  • mIRC Servers
  • MISP Warning Lists
  • Monzymerza
  • Multiproxy
  • Neo23x0 signature-base
  • OpenBugBounty
  • Phishing Army
  • Phishstats (offers JSON API and CSV download)
  • Project Honeypot (#284)
  • RST Threat Feed (offers a free and a commercial feed)
  • SANS ISC
  • ShadowServer Sandbox API
  • Shodan search API
  • Snort
  • stopforumspam Toxic IP addresses and domains
  • Spamhaus Botnet Controller List
  • SteveBlack Hosts File
  • The Haleys
  • Threat Crowd
  • Threat Grid
  • Threatstream
  • TotalHash
  • UCE Protect
  • Unit 42 Public Report IOCs
  • URI BL
  • urlscan.io
  • Virustotal
  • virustream
  • VoIP Blacklist
  • YourCMC