From 2b0de7ea0feee29f864771267bd4cab6e5e93040 Mon Sep 17 00:00:00 2001
From: Simon Duff <simon.duff@gmail.com>
Date: Mon, 23 Jan 2017 15:31:22 +0800
Subject: [PATCH 1/2] Added 3 whitelists

Added 3 whitelists - Alexa, Cisco Umbrella and Statvoo
---
 README.md | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8e4bd75..0ac6981 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,14 @@ Some consider these sources as threat intelligence, opinions differ however.
 A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.
 
 <table>
+    <tr>
+        <td>
+            <a href="http://s3.amazonaws.com/alexa-static/top-1m.csv.zip" target="_blank">Alexa Top 1 Million sites</a>
+        </td>
+        <td>
+            Probable Whitelist of the top 1 Million sites from Amazon(Alexa).
+        </td>
+    </tr>
     <tr>
         <td>
             <a href="https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml" target="_blank">APT Groups and Operations</a>
@@ -51,6 +59,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             Tracks several active botnets.
         </td>
     </tr>
+    <tr>
+        <td>
+            <a href="http://s3-us-west-1.amazonaws.com/umbrella-static/index.html" target="_blank">Cisco Umbrella</a>
+        </td>
+        <td>
+            Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS).
+        </td>
+    </tr>
     <tr>
         <td>
             <a href="https://intel.criticalstack.com/" target="_blank">Critical Stack Intel</a>
@@ -59,7 +75,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
         </td>
     </tr>
-        <tr>
+     <tr>
         <td>
             <a href="https://www.c1fapp.com/" target="_blank">C1fApp</a>
         </td>
@@ -221,6 +237,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists
         </td>
     </tr>
+    <tr>
+        <td>
+            <a href="https://statvoo.com/dl/top-1million-sites.csv.zip" target="_blank">Statvoo Top 1 Million Sites</a>
+        </td>
+        <td>
+            Probable Whitelist of the top 1 million web sites, as ranked by Statvoo.
+        </td>
+    </tr>
     <tr>
         <td>
             <a href="https://strongarm.io" target="_blank">Strongarm, by Percipient Networks</a>

From fd5268d03e5bcb7b70c7904b1efd258deaa4049e Mon Sep 17 00:00:00 2001
From: Simon Duff <simon.duff@gmail.com>
Date: Sat, 28 Jan 2017 18:10:54 +0800
Subject: [PATCH 2/2] Added several new threatlists

Added several threatlists
---
 README.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/README.md b/README.md
index 0ac6981..71402ee 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,30 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             Tracks several active botnets.
         </td>
     </tr>
+    <tr>
+        <td>
+            <a href="http://danger.rulez.sk/projects/bruteforceblocker/" target="_blank">BruteForceBlocker</a>
+        </td>
+        <td>
+            BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, <a href="http://danger.rulez.sk/projects/bruteforceblocker/blist.php">http://danger.rulez.sk/projects/bruteforceblocker/blist.php</a>.
+        </td>
+    </tr>    
+    <tr>
+        <td>
+            <a href="http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt" target="_blank">C&amp;C Tracker</a>
+        </td>
+        <td>
+            A feed of known, active and non-sinkholed C&amp;C IP addresses, from Bambenek Consulting.
+        </td>
+    </tr>
+    <tr>
+        <td>
+            <a href="http://cinsscore.com/list/ci-badguys.txt" target="_blank">CI Army List</a>
+        </td>
+        <td>
+        A subset of the commercial <a href="http://cinsscore.com/">CINS Score</a> list, focused on poorly rated IPs that are not currently present on other threatlists. 
+        </td>
+    </tr>    
     <tr>
         <td>
             <a href="http://s3-us-west-1.amazonaws.com/umbrella-static/index.html" target="_blank">Cisco Umbrella</a>
@@ -187,6 +211,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
         </td>
     </tr>
+    <tr>
+        <td>
+            <a href="http://www.openbl.org/lists.html" target="_blank">OpenBL.org</a>
+        </td>
+        <td>
+            A feed of IP addresses found to be attempting brute-force logins on services such as SSH, FTP, IMAP and phpMyAdmin and other web applications. 
+        </td>
+    </tr>    
     <tr>
         <td>
             <a href="https://openphish.com/phishing_feeds.html" target="_blank">OpenPhish Feeds</a>
@@ -229,6 +261,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea
             A database of signatures used in other tools by Neo23x0.
         </td>
     </tr>
+    <tr>
+        <td>
+            <a href="https://www.spamhaus.org/" target="_blank">The Spamhaus project</a>
+        </td>
+        <td>
+            The Spamhaus Project contains multiple threatlists associated with spam and malware activity.
+        </td>
+    </tr>
     <tr>
         <td>
             <a href="https://sslbl.abuse.ch/" target="_blank">SSL Blacklist</a>

+ Alexa Top 1 Million sites +	+ Probable Whitelist of the top 1 Million sites from Amazon(Alexa). +
APT Groups and Operations @@ -51,6 +59,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea Tracks several active botnets.
+ Cisco Umbrella +	+ Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS). +
Critical Stack Intel @@ -59,7 +75,7 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea The free threat intelligence parsed and aggregated by Critical Stack is ready for use in any Bro production system. You can specify which feeds you trust and want to ingest.
C1fApp
+ Statvoo Top 1 Million Sites +	+ Probable Whitelist of the top 1 million web sites, as ranked by Statvoo. +
Strongarm, by Percipient Networks From fd5268d03e5bcb7b70c7904b1efd258deaa4049e Mon Sep 17 00:00:00 2001 From: Simon Duff Date: Sat, 28 Jan 2017 18:10:54 +0800 Subject: [PATCH 2/2] Added several new threatlists Added several threatlists --- README.md \| 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index 0ac6981..71402ee 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,30 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea Tracks several active botnets.
+ BruteForceBlocker +	+ BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php. +
+ C&C Tracker +	+ A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting. +
+ CI Army List +	+ A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists. +
Cisco Umbrella @@ -187,6 +211,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).
+ OpenBL.org +	+ A feed of IP addresses found to be attempting brute-force logins on services such as SSH, FTP, IMAP and phpMyAdmin and other web applications. +
OpenPhish Feeds @@ -229,6 +261,14 @@ A certain amount of (domain- or business-specific) analysis is necessary to crea A database of signatures used in other tools by Neo23x0.
+ The Spamhaus project +	+ The Spamhaus Project contains multiple threatlists associated with spam and malware activity. +
SSL Blacklist