Export IOCs
ThreatFox offers the exporting of indicators of compromise (IOCs) in following formats:
Daily MISP Events
You can download ThreatFox IOCs as daily MISP events. New MISP events get generated at midnight. Plese do not try to fetch them before 00:15 UTC.
host file (domains only)
Some commercial and open source security software (such as Pi-hole) can detect access to domain names based on the host file format. For this purpose, ThreatFox offers a list of domain based IOCs. The host file below contains the following datasets observed in the past 6 month:
- Payload delivery domains
- Botnet C2 domains
The following file gets generated every 5 minutes. Please do not fetch it more often than that.
Suricata IDS Ruleset
ThreatFox provides a ruleset containing all network based Indicators Of Compromise (IOCs) for Suricata IDS. As we believe that IOCs have an expiration date too and to avoid false positive, we only export IOCs for the past 6 month. Please note that the ruleset has been tested with Suricata version 6.0.0. The ruleset gets generated every 5 minutes.
DNS Response Policy Zone (RPZ)
By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can detect the resolution of certain domain names ovserved in the past 6 month on your DNS resolver. ThreatFox offerst the following IOCs as RPZ dataset:
- Payload delivery domains
- Botnet C2 domains
More information about DNS RPZ can be found on dnsrpz.info. The following file gets generated every 5 minutes. Please do not fetch it more often than that.
JSON files
The following data exports exists in JSON format:
- Recent additions ( download)
- Full data dump ( download - zip compressed)
- URLs: Recent additions ( download)
- URLs: Full data dump ( download - zip compressed)
- Domains: Recent additions ( download)
- Domains: Full data dump ( download - zip compressed)
- IP-port: Recent additions ( download)
- IP-port: Full data dump ( download - zip compressed)
- MD5 hashes: Recent additions ( download)
- MD5 hashes: Full data dump ( download - zip compressed)
- SHA256 hashes: Recent additions ( download)
- SHA256 hashes: Full data dump ( download - zip compressed)
Note
Recent datasets ("recent additions") include IOCs for the last 48 hours and are being generated every 5 minutes. Please do not fetch them more often than that.
Full data dumps include all IOCs and are only being generated once per hour. Please do not fetch them more often than once per hour.
CSV files
The following data exports exists in CSV format:
- Recent additions ( download)
- Full data dump ( download - zip compressed)
- URLs: Recent additions ( download)
- URLs: Full data dump ( download - zip compressed)
- Domains: Recent additions ( download)
- Domains: Full data dump ( download - zip compressed)
- IP-port: Recent additions ( download)
- IP-port: Full data dump ( download - zip compressed)
- MD5 hashes: Recent additions ( download)
- MD5 hashes: Full data dump ( download - zip compressed)
- SHA256 hashes: Recent additions ( download)
- SHA256 hashes: Full data dump ( download - zip compressed)
Note
Recent datasets ("recent additions") include IOCs for the last 48 hours and are being generated every 5 minutes. Please do not fetch them more often than that.
Full data dumps include all IOCs and are only being generated once per hour. Please do not fetch them more often than once per hour.