Export

ThreatFox offers the exporting of indicators of compromise (IOCs) in following formats:

Daily MISP Events Suricata IDS Ruleset DNS Response Policy Zone (RPZ) host file (domain only) JSON file CSV files


Daily MISP Events


You can download ThreatFox IOCs as daily MISP events. New MISP events get generated at midnight. Plese do not try to fetch them before 00:15 UTC.

host file (domains only)


Some commercial and open source security software (such as Pi-hole) can block access to domain names based on the host file format. For this purpose, ThreatFox offers a list of domain based IOCs. The host file below contains the following datasets observed in the past 6 month:

The following file gets generated every 5 minutes. Please do not fetch it more often than that.

Download host file

Suricata IDS Ruleset


ThreatFox provides a ruleset containing all network based Indicators Of Compromise (IOCs) for Suricata IDS. As we believe that IOCs have an expiration date too and to avoid false positive, we only export IOCs for the past 6 month. Please note that the ruleset has been tested with Suricata version 6.0.0. The ruleset gets generated every 5 minutes.

Download Suricata IDS Ruleset (tar.gz)

Download Suricata IDS Ruleset

DNS Response Policy Zone (RPZ)


By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can block the resolution of certain domain names ovserved in the past 6 month on your DNS resolver. ThreatFox offerst the following IOCs as RPZ dataset:

More information about DNS RPZ can be found on dnsrpz.info. The following file gets generated every 5 minutes. Please do not fetch it more often than that.

Download RPZ

JSON files


The following data exports exists in JSON format:

CSV files


The following data exports exists in CSV format: