ESET Online Help

Search
Select the category
Select the topic

IP feed

The IP feed contains malicious IP addresses and data associated with them. The structure of the data displayed here is similar to the display of domains in URL feed. One of the main uses is to understand what malicious IP addresses are currently prevalent in the wild. To block those IP addresses with high severity and monitor those IP addresses with milder severity, and to further investigate based on additional information in case they have already caused any harm.

 

JSON
Below is a snippet of an IP feed in JSON format.

example

 

{

"confidence": "Low",

"direction": "outgoing",

"downloaded.detection": [

"URL/Urlik.AAF object",

"VBS/Agent.OMW trojan"

],

"ip": "87.244.43.42"

"location": "Russian Federation",

"opener_detection": [

"URL/Urlik.AAF object"

]

"port": 11985

"protocol": "tcp"

"reason": "Host actively distributes high-severity threat in the form of executable code.",

"state": "BlockedObject",

"urls": [

"https://87.244.43.42:11985/08388E25.Png"

],

"valid_to": "2021-12-15 09:35:10 UTC"

}

 

 

Confidence- How confident we are that the given IP address should be automatically blocked

oHigh - consists of IP address that have shown malicious and phishing activities

oMedium - consists of IP address that have shown potentially unwanted (PUA) or SCAM activities

oLow - consists of IP address from which users are advised not to download files, but which are considered safe to browse

Direction - Considered from client perspective. In case IP address is communicating with customer/application it is incoming. In case customer/application is asking IP address, it is outgoing.

oOutgoing or Incoming

Downloaded detection: detection of file that would be downloaded from the given malicious IP address

IP: main IoC itself.

Location: country where the IP address is hosted (IP address to location)

Opener detection: in cases where a malicious file tries to communicate with an IP address, this is the detection of the file which was trying to access the given IP address.

Port: port communicated number

Protocol: network communication protocol

Reason: human-readable information about why the given domain has been identified as malicious

oThe host is actively distributing high-severity malicious content in the form of executable code.

oThe host is actively distributing a high-severity threat in the form of executable code.

oThe host is actively distributing a high-severity threat in the form of script code.

oThe host is actively distributing a high-severity threat in the form of malicious code.

oThe host is actively distributing a potentially unwanted or unsafe threat.

oThe host is known to be a source of active fraudulent content.

oThe host is known to be a source of phishing or other fraudulent content.

oThe host is known to abuse search engine optimization features to distribute unwanted content and spam.

oThe host is known to be actively distributing high-severity mobile threats or low-risk software.

oThe host is known to be actively distributing threats or is of uncertain reputation.

oThe host is known to be actively distributing adware or other medium-risk software.

oThe host is known to be distributing low-risk and potentially unwanted content.

oThe host is used as a command and control server by the {} malware family.

oThe host is used as a command and control server.

oVNS bruteforce IP

oRDP bruteforce IP

oSQL bruteforce IP

oSMB bruteforce IP

oFTP bruteforce IP

oWeb services scanning and attacks

State: what kind of category the given malicious IP address is in:

oBlocked – IP address that shows malicious activity (high confidence)

oUnwanted – IP address that is considered a PUA or SCAM (medium confidence)

oBlocked Object – IP address that hosts downloadable malware but should not be blocked as a whole (low confidence)

URLs: bad URLs we have seen on given IP

Valid to: date of share +48h

 

STIX 2.0

4 types of STIX domain objects are available for IP feed:

Indicator

Malware

Observed data

Relationship

 

Indicator - IoC that should be used for further blocking and/or investigation

oName: what category the given malicious IP address belongs to

Blocked – IP address that shows malicious activity (high confidence)

Unwanted – IP address that is considered a PUA or SCAM (medium confidence)

Blocked Object – IP address that hosts downloadable malware but should not be blocked as a whole (low confidence)

oDescription: Human-readable information about why the given IP address has been identified as malicious

oPattern: IoC

oValid from: time of share of IoC

oValid until: time of share +48h

oLabel: category of detection in a format different than name

Malicious activity (name - Blocked)

Benign (name – Blocked Object)

Malware - this object is optional and does not necessarily need to be shared with every IP address IoC. In the event that we

have been able to detect and block a file related to malware that was downloaded from a given IP address, this data will be

shared. In the event that malware was trying to communicate with a given IP address, data about the malware that tried to

communicate will be shared.

oName: name of the malware detection

oDescription: what type of malware-based additional information this is

Detected malware was downloaded from the IP address

Detected malware tried to contact the IP address

oLabels: what category of malware this is

Trojan

Worm

Virus

Dropper

Adware

Rogue security software

Ransomware

Keylogger

Rootkit

DDoS

Bot

Spyware

Observed data - additional information for the given domain

oFirst observed: when was this IP address first seen in the wild

oLast observed: when the IP address was last seen

oNumber observed: the total number of times the IP address has been seen

oType: ipv4 or URL

oValue: the IP address on which the blocked URL is hosted

Relationship