IOC Feeds and YARA rules

Download all IOCs as CSV, JSON lines or in the Elastic Common Schema format (ECS). Note: IOCs likely to cause false positives, such as filenames or port numbers, have been removed. Please limit downloads to once per hour, as updates are infrequent. You can also subscribe to a MISP feed of all reports and download all collected YARA rules in a single rule file.

Bulk Exports

The following bulk exports of the Rösti dataset are available. Note that these also contain very old data. Loading bulk exports MISP Feed

Feeds

Feeds entries are time-limited according to the following rules:

  • Hashes: maxium age 1 year
  • Network IOCs, such as domains, urls and IPs: maximum age 90 days
  • Other IOCs, such as filenames and email addresses: maximum age 30 days

They only contain entries with the IDS flag set and a risk level of 0.

Domain Feeds

Should be used for
AdBlock
Pi-hole, AdGuard, AdGuard Home, eBlocker, uBlock Origin, AdBlock, Adblock Plus, Opera, Vivaldi, Brave, AdNauseam, Little Snitch Mini, TechnitiumDNS
DNSMasq
DNSMasq (v2.86 or newer), adblock-lean, Diversion (v5 or newer)
Domains Subdomains
Blocky (older than v0.23), Diversion (older than v5), OpenSnitch, PersonalBlocklist, pfBlockerNG
Hosts
AdAway, uMatrix, DNS66, GasMask, NetGuard
Hosts (compressed)
Hostfile, Linux, Windows
PAC
Proxy Auto Configuration
RPZ
Response Policy Zone, Bind, Knot, PowerDNS, Unbound
Wildcard Asterisks
Blocky (v0.23 or newer), Nebulo, NetDuma, OPNsense, YogaDNS
Wildcard Domains
DNSCloak, DNSCrypt, TechnitiumDNS, PersonalDNSfilter, InviZible Pro

Product-Specific Feeds

Checkpoint

All Types Domains IPs IP ranges MD5s SHA-1s SHA-256s

Fortinet

Domains IPs Hashes

Microsoft Defender for Endpoint

All Types Domains IPs SHA-1s SHA-256s

You can view the list of IOCs here and the list of reports here .