enrich-malwaredomains: A Python repository from DNIF - HyperScale SIEM - DNIF

Malware Domains

http://mirror1.malwaredomains.com/files/domains.txt

Overview

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

Malware Domains feeds provided here are for free for noncommercial use as part of the fight against malware. Any use of this list commercially is strictly prohibited without prior approval. (It’s OK to use this list on an internal DNS server for which you are not charging).

Malware Domains feeds

Listing of domains that are known to be used to propagate malware and spyware

Using the Malware Domains feed API

The Malware Domain feed API is found on github at

https://github.com/dnif/enrich-malwaredomains

Getting started with Bambenek Consulting feeds API

Login to your AD, A10 containers
ACCESS DNIF CONTAINER VIA SSH : Click To Know How
Move to the ‘/dnif/<Deployment-key/enrichment_plugins’ folder path.

$cd /dnif/CnxxxxxxxxxxxxV8/enrichment_plugins/

Clone using the following command

git clone https://github.com/dnif/enrich-malwaredomains.git malwaredomains

API feed output structure

Fields	Description
EvtType	An Domain
EvtName	The IOC
IntelRef	Feed Name
IntelRefURL	Feed URL
ThreatType	DNIF Feed Identification Name

An example of API feed output

{'EvtType': 'DOMAIN',
'EvtName': 'ybobvntcrub.pw', 
'AddFields':{
'IntelRefURL': ['spamhaus.org'],
'ThreatType': ['botnet'],
'IntelRef': ['MALWAREDOMAINS']}}

dnif-archive/enrich-malwaredomains

Malware Domains

Overview

Malware Domains feeds

Using the Malware Domains feed API

Getting started with Bambenek Consulting feeds API

Login to your AD, A10 containers

Move to the ‘/dnif/<Deployment-key/enrichment_plugins’ folder path.

Clone using the following command

API feed output structure