The botvrij.eu data

IOCs

Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.
The information contains network info (IPs), file hashes, file paths, domain names, URLs.

Datasource

All the data is gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.

MISP

MISP is used as a back-end for storing the threat information. The information is added to MISP via ioc-parser, extracted from MISP with PyMISP and formatted with a set of custom Python scripts.

This feed is also integrated as an OSINT feed within MISP.

It is free!

The data is free (obviously, the source of the data is also free). Use the data at your own risk. This project only makes the data easy accessible. It is up to you to decide where and how you want to use it.

Content

The datasets are available in two formats

  • ioclist.<TYPE>
  • ioclist.<TYPE>.md5
  • ioclist.<TYPE>.raw
  • ioclist.<TYPE>.raw.md5


The content of both datasets is identical. The .raw contains the data without comment. These datasets can be used if you want to automate inclusion in your detection systems.


All the datasets are stored in the folder /data/. For example the network IOC with possible malicious destination IPs is available via https://www.botvrij.eu/data/ioclist.ip-dst.


The directory /data/ has been set to allow 'directory listing' so it's easier for you to check which IOC files are available.


The easiest way to make use of the dataset is to activate the OSINT feed of botvrij.eu in your own local MISP instance. See this post for more information https://www.vanimpe.eu/2016/03/23/using-open-source-intelligence-osint-with-misp/.

Dataset types

These datasets are available :

Network IOCs

  • ioclist.ip-dst
  • ioclist.domain
  • ioclist.url


File details

  • ioclist.filename
  • ioclist.md5
  • ioclist.sha1
  • ioclist.sha256


Other IOCs

  • ioclist.email-src
  • ioclist.regkey

Updates

The datasets are updated regularly whenever new APT writeups or descriptions of exploit campaigns become available. Do take into account that this remains a volunteer project.


Examples

IOC email-src

IOC email-src

Use these IOCs on your e-mail relay.
IOC ip-dst

IOC ip-dst

Detect possible outbound malicious activity.
IOC sha1

IOC sha1

File hashes that can be used when doing incident response.
IOC domain

IOC domain - raw

Domainlist in a raw format.

Frequently Asked Questions

Block lists are outdated!

Yes. But not entirely.
We do not recommend you to install the different IOCs in your intrusion prevention systems 'as such'. We strongly advise you to use the IOCs for detecting possible malicious behavior. Use the IOCs to raise an alert and then conduct a proper investigation. Consider this data as an extra set of data that you can use to monitor the quality of your network and services.

Note that you should not only focus on network IOCs.


The network IOCs are outdated!

Yes. But not entirely ;-)
The data originates from public reports. Because the reports are public it is very likely that they have been cleaned. Some of the IPs however are used for different types of malicious activity so using them in your detection system still makes sense.


What should I do with the file hashes?

The file hashes are useful when you conduct an incident response investigation. Ideally you combine them with Yara rules.


I want direct access to the MISP instance!

Well you can't. I run my MISP setup on a private, internal, network. This is not because I do not trust the public access controls build into MISP but because it reduces the effort I have to put into running (monitoring) the system.


Why did you not use the MISP export feature?

MISP allows export in different formats (XML, IDS-Snort, CSV). The export comes close to what I had in mind but I wanted to add some comments and be able to remove some redundant data. As such I use PyMISP to extract the data and write the output into different text files.


MISP OSINT feed

The best way to make use of this feed and distribute the information to your security devices is to setup your own local MISP and then activate the botvrij.eu OSINT feed. Also see https://www.vanimpe.eu/2016/03/23/using-open-source-intelligence-osint-with-misp/.


What are the terms of use?

You can use this data the way you prefer but all use of the data is at your own risk. You cannot resell the data, neither as an individual package or as part of a larger package.


What does botvrij mean?

botvrij is a dutch word. Vrij means free. It means 'free of bots'.


Remove my IP/domain/URL from the list!

Send an e-mail to info @ botvrij.eu and provide a short description.