IOC Feeds and YARA rules
Download all IOCs as CSV, JSON lines or in the Elastic Common Schema format (ECS). Note: IOCs likely to cause false positives, such as filenames or port numbers, have been removed. Please limit downloads to once per hour, as updates are infrequent. You can also subscribe to a MISP feed of all reports and download all collected YARA rules in a single rule file.
Bulk Exports
The following bulk exports of the Rösti dataset are available. Note that these also contain very old data. Loading bulk exports MISP FeedFeeds
Feeds entries are time-limited according to the following rules:
- Hashes: maxium age 1 year
- Network IOCs, such as domains, urls and IPs: maximum age 90 days
- Other IOCs, such as filenames and email addresses: maximum age 30 days
They only contain entries with the IDS flag set and a risk level of 0.
Domain Feeds
Should be used for
Pi-hole, AdGuard, AdGuard Home, eBlocker, uBlock Origin, AdBlock, Adblock Plus, Opera, Vivaldi, Brave, AdNauseam, Little Snitch Mini, TechnitiumDNS
DNSMasq (v2.86 or newer), adblock-lean, Diversion (v5 or newer)
Blocky (older than v0.23), Diversion (older than v5), OpenSnitch, PersonalBlocklist, pfBlockerNG
AdAway, uMatrix, DNS66, GasMask, NetGuard
Hostfile, Linux, Windows
Proxy Auto Configuration
Response Policy Zone, Bind, Knot, PowerDNS, Unbound
Blocky (v0.23 or newer), Nebulo, NetDuma, OPNsense, YogaDNS
DNSCloak, DNSCrypt, TechnitiumDNS, PersonalDNSfilter, InviZible Pro
Product-Specific Feeds
Checkpoint
Fortinet
Microsoft Defender for Endpoint
You can view the list of IOCs here and the list of reports here .