IOC Feeds and YARA rules

Download all IOCs as CSV, JSON lines or in the Elastic Common Schema format (ECS). Note: IOCs likely to cause false positives, such as filenames or port numbers, have been removed. Please limit downloads to once per hour, as updates are infrequent. You can also subscribe to a MISP feed of all reports and download all collected YARA rules in a single rule file.

YARA rules MISP Feed CSV JSON Lines ECS

Domain Feeds

These feeds contain the domains from the past 180 days which have the IDS flag set .

Should be used for

AdBlock

Pi-hole, AdGuard, AdGuard Home, eBlocker, uBlock Origin, AdBlock, Adblock Plus, Opera, Vivaldi, Brave, AdNauseam, Little Snitch Mini, TechnitiumDNS

DNSMasq

DNSMasq (v2.86 or newer), adblock-lean, Diversion (v5 or newer)

Domains Subdomains

Blocky (older than v0.23), Diversion (older than v5), OpenSnitch, PersonalBlocklist, pfBlockerNG

Hosts

AdAway, uMatrix, DNS66, GasMask, NetGuard

Hosts (compressed)

Hostfile, Linux, Windows

PAC

Proxy Auto Configuration

RPZ

Response Policy Zone, Bind, Knot, PowerDNS, Unbound

Wildcard Asterisks

Blocky (v0.23 or newer), Nebulo, NetDuma, OPNsense, YogaDNS

Wildcard Domains

DNSCloak, DNSCrypt, TechnitiumDNS, PersonalDNSfilter, InviZible Pro

Product-Specific Feeds

Checkpoint

These Checkpoint feeds contain IOCs from the past 180 days which have the IDS flag set.

All Types Domains IPs IP ranges MD5s SHA-1s SHA-256s

Fortinet

These Fortinet feeds contain IOCs from the past 180 days which have the IDS flag set .

Domains IPs Hashes

Microsoft Defender for Endpoint

These MDE feeds contain IOCs from the past 30 days which have the IDS flag set .

All Types Domains IPs SHA-1s SHA-256s

You can view the list of IOCs here and the list of reports here .

Last updated: 4 February 2025 at 21:19:06