My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Top-100 Malicious IP STIX Feed

Published: 2017-11-17. Last Updated: 2017-11-17 07:56:20 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)

$ curl https://isc.sans.edu/api/topips/records/100
<?xml version="1.0" encoding="UTF-8"?>
<topips>
<ipaddress>
<rank>1</rank>
<source>046.101.124.074</source>
<reports>132723</reports>
<targets>110</targets>
</ipaddress><ipaddress>
<rank>2</rank>
<source>130.211.015.150</source>
<reports>21166</reports>
<targets>4474</targets>
</ipaddress><ipaddress>
...
</ipaddress>

You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?

Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:

<stix:STIX_Package
  xmlns:stix="http://stix.mitre.org/stix-1" 
  xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" 
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" 
  xmlns:cybox="http://cybox.mitre.org/cybox-2" 
  xmlns:indicator="http://stix.mitre.org/Indicator-2" 
  xmlns:xs="http://www.w3.org/2001/XMLSchema" 
  xmlns:stixCommon="http://stix.mitre.org/common-1" 
  xmlns:example="http://example.com" 
  xmlns:cyboxCommon="http://cybox.mitre.org/common-2" 
  xmlns:xlink="http://www.w3.org/1999/xlink" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> 
  <stix:STIX_Header/>
    <stix:Indicators>
      <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'>
        <indicator:Title>SANS ISC Malicious IP</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266">
          <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
              <AddressObj:Address_Value>46.101.124.74</AddressObj:Address_Value>
            </cybox:Properties>
          </cybox:Object>
       </indicator:Observable>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>

The script is available in my GitHub repository[4].

If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements. 

[1] https://stixproject.github.io/
[2] https://isc.sans.edu/api/
[3] https://github.com/STIXProject/python-stix
[4] https://github.com/xme/toolbox/blob/master/isc2stix.py
[5] https://misp.truesec.be/isc-top-100-stix.xml

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: API IOC IP sharing STIX
5 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

This worked great! I am able to pop the URL directly into my intelligence feeds with no issue at all.

Thank you for the quick response to my original ask!
This is great - thanks for making this data available in STIX. Your STIX looks good, the only change I would suggest making is adding the "condition" attribute to the IP address value:

> ip.condition = "Equals"

Otherwise, I would suggest also making this available in the new STIX 2.0 JSON format. You can use the cti-stix-elevator utility to do this, which takes as input a STIX 1.2 XML file: https://github.com/oasis-open/cti-stix-elevator

Regards,
Ivan
Thank you for your feedback, Ivan!
I'll have a look at this and update the feed. I'm not a STIX guru ;-)
Changes completed.
There are two feeds available now:
https://misp.truesec.be/isc-top-100-stix.xml (STIX 1.2)
https://misp.truesec.be/isc-top-100-stix.json (STIX 2.0)
Let me know if it works for you...
Awesome! The updated STIX 1.2 feed looks great, as does the STIX 2.0 feed (thanks for adding it!).

Diary Archives