IP feed
The IP feed contains malicious IP addresses and data associated with them. The structure of the data displayed here is similar to the display of domains in URL feed. One of the main uses is to understand what malicious IP addresses are currently prevalent in the wild. To block those IP addresses with high severity and monitor those IP addresses with milder severity, and to further investigate based on additional information if they have already caused any harm.
JSON
Below is a snippet of an IP feed in JSON format.
{ "confidence": "Low", "direction": "outgoing", "downloaded.detection": [ "URL/Urlik.AAF object", "VBS/Agent.OMW trojan" ], "ip": "87.244.43.42" "location": "Russian Federation", "opener_detection": [ "URL/Urlik.AAF object" ] "port": 11985 "protocol": "tcp" "reason": "Host actively distributes high-severity threat in the form of executable code.", "state": "BlockedObject", "urls": [ "https://87.244.43.42:11985/08388E25.Png" ], "valid_to": "2021-12-15 09:35:10 UTC" } |
•Confidence—how confident we are that the given IP address should be automatically blocked
oHigh—consists of the IP address that has shown malicious and phishing activities
oMedium—consists of the IP address that has shown potentially unwanted (PUA) or SCAM activities
oLow—consists of the IP address from which users are advised not to download files, but which are considered safe to browse
•Direction—considered from client perspective. If the IP address is communicating with a customer/application, it is incoming. If a customer/application is asking the IP address, it is outgoing.
oOutgoing or Incoming
•Downloaded detection—detection of a file that would be downloaded from the given malicious IP address
•IP—main IoC itself
•Location—country where the IP address is hosted (IP address to location)
•Opener detection—in cases where a malicious file tries to communicate with an IP address, this is the detection of the file which was trying to access the given IP address.
•Port—port communicated number
•Protocol—network communication protocol
•Reason—human-readable information about why the given domain has been identified as malicious
oThe host is actively distributing high-severity malicious content in the form of executable code.
oThe host is actively distributing a high-severity threat in the form of executable code.
oThe host is actively distributing a high-severity threat in the form of script code.
oThe host is actively distributing a high-severity threat in the form of malicious code.
oThe host is actively distributing a potentially unwanted or unsafe threat.
oThe host is known to be a source of active fraudulent content.
oThe host is known to be a source of phishing or other fraudulent content.
oThe host is known to abuse search engine optimization features to distribute unwanted content and spam.
oThe host is known to be actively distributing high-severity mobile threats or low-risk software.
oThe host is known to be actively distributing threats or is of uncertain reputation.
oThe host is known to be actively distributing adware or other medium-risk software.
oThe host is known to be distributing low-risk and potentially unwanted content.
oThe host is used as a command and control server by the {} malware family.
oThe host is used as a command and control server.
oVNS bruteforce IP
oRDP bruteforce IP
oSQL bruteforce IP
oSMB bruteforce IP
oFTP bruteforce IP
oWeb services scanning and attacks
•State—what kind of category the given malicious IP address is in:
oBlocked—IP address that shows malicious activity (high confidence)
oUnwanted—IP address that is considered a PUA or SCAM (medium confidence)
oBlocked Object—IP address that hosts downloadable malware but should not be blocked as a whole (low confidence)
•URLs—bad URLs we have seen on given IP
•Valid to—date of share +48h
STIX 2.0
Four types of STIX domain objects are available for IP feed:
•Indicator
•Malware
•Observed data
•Relationship
•Indicator—IoC that must be used for further blocking and/or investigation
oName—what category the given malicious IP address belongs to
▪Blocked—IP address that shows malicious activity (high confidence)
▪Unwanted—IP address that is considered a PUA or SCAM (medium confidence)
▪Blocked Object—IP address that hosts downloadable malware but should not be blocked as a whole (low confidence)
oDescription—human-readable information about why the given IP address has been identified as malicious
oPattern—IoC
oValid from—time of share of IoC
oValid until—time of share +48h
oLabel—category of detection in a format different than the name
▪Malicious activity (name—Blocked)
▪Benign (name—Blocked Object)
•Malware—this object is optional and does not necessarily need to be shared with every IP address IoC. In the event that we have been able to detect and block a file related to malware that was downloaded from a given IP address, this data will be shared. In the event that malware was trying to communicate with a given IP address, data about the malware that tried to communicate will be shared.
oName—name of the malware detection
oDescription—what type of malware-based additional information this is
▪Detected malware was downloaded from the IP address
▪Detected malware tried to contact the IP address
oLabels—what category of malware this is
▪Trojan
▪Worm
▪Virus
▪Dropper
▪Adware
▪Rogue security software
▪Ransomware
▪Keylogger
▪Rootkit
▪DDoS
▪Bot
▪Spyware
•Observed data—additional information for the given domain
oFirst observed—when was this IP address first seen in the wild
oLast observed—when the IP address was last seen
oNumber observed—the total number of times the IP address has been seen
oType—ipv4 or URL
oValue—the IP address on which the blocked URL is hosted
•Relationship