Discontinued Threat Intelligence Feeds

Identifies the country in which a specific destination ASN resides, as identified by Arin Net.

MaxMind is no longer supporting this content.

Identifies the country in which a specific source ASN resides, as identified by Arin Net.

MaxMind is no longer supporting this content.

Provides additional meta information for AS Networks, Organization names, Country codes, and country names as sourced from MaxMind and ArinNet.

MaxMind is no longer supporting this content.

Creates meta when hits to known online file storage sites are detected.

Due to the distributed and constantly evolving infrastructure of cloud services, it is not beneficial to track all systems by their FQDNs.

Detects high-risk file types by extension.

Prone to false positives due to attackers mimicking legitimate download behaviors.

Hijacked IP list source from www.bluetack.co.uk.

Outdated list of IP addresses that is are longer publicly updated and provided to the community.

hunting

The Hunting feed can be deployed to provide a baseline response framework that allows analysts to investigate collections with a modular approach to response.

Replaced by the Investigation Feed.

IDefense Threat Indicators Domains

Verisign idefense security intelligence services gives information security executives access to accurate and actionable cyber-intelligence related to vulnerabilities, malicious code, and global threats 24 hours a day, 7 days a week.

This feed is no longer available nor updated, due to an expired partnership with IDefense.

Malware Domains

List of domains commonly associated with malware sourced from www.malwaredomains.com.

RSA no longer licenses this feed.

MaxMind ASN

List of AS Networks associated with IP address ranges regularly updated and sourced from MaxMind.

MaxMind is no longer supporting this content.

NetWitness Fraud Intelligence powered by Verisign

Verisign idefense security intelligence services gives information security executives access to accurate and actionable cyber-intelligence related to vulnerabilities, malicious code, and global threats 24 hours a day, 7 days a week.

This feed has been incorporated into the existing RSA Research feed.

Palevo Tracker offers three different blocklists, used to block the access to well known Palevo botnet Command & Control botnets.

The Palevo tracker feeds are no longer being updated by the community; the threat has diminished, and this content provides no operational security value.

Contains attachments that are known to be associated with APTs.

Contains IPs that have been observed using criminal anonymization services.

The malware that this project leveraged has since gone dormant, and the data it provided has outlived its usefulness.

Contains domains that represent known VPN entry nodes for criminal anonymization services.

The feeds associated with VPN IPs (RSA FirstWatch Criminal VPN Entry/Exit IPs) provide more value than the domain related ones. The only time the domain feeds would fire are on DNS lookup vs. the actual VPN traffic.

Contains domains that represent known VPN exit nodes for criminal anonymization services.

Contains Domains that are known to be associated with malware delivery.

Duplication of effort and value of the RSA Fraud Action Domain feed.

Contains IPs that are known to be associated with malware delivery.

Contains IP that are known to be compromised.

Contains domains known to be associated with insider threats.

Due to the distributed nature of cloud services and the number of new file sharing services that continue to appear this feed provided more noise than analytical value.

Contains IPs known to be associated with insider threats.

SpyEye domain tracker is a list of spyeye (also known as zbot, prg, wsnpoem, gorhax and kneber) command & control domain names. SpyEye tracker has tracked more than 2,800 malicious spyeye c&c servers. SpyEye is spread mainly through drive-by downloads and phishing schemes.

The SpyEye tracker feeds are no longer being updated by the community; the threat has diminished, and this content provides no operational security value.

Contains malicious ip addresses sourced from www.sri.com.

A change in licensing prevents RSA from redistributing the data feed

The SSH blacklist, contains IP addresses of hosts which tried to bruteforce into any of currently 10 hosts (all running OpenBSD, FreeBSD or Linux) using the SSH protocol. The hosts are located in Germany, the United States, and Australia, and are setup to report and log those attempts to a central database.

The website that hosts this material has posted a notice that they will no longer be providing updates.

Contains IPs that are listed as active nodes in the Tor network.

This list contains all Tor nodes, and because other services are often hosted on the same IP address as the Tor node, this leads to false positives.

Detects hits to known URL-shortening services.

Due to their adoption across social media and within organizations, this feed has limited analytic value due to increased noise.

Wikileaks domain mirrors.

Wikileaks has adopted a TOR as a method of distribution instead of a wide network of WWW mirrors.

Zeus domain tracker is a list of zeus (also known as zbot, prg, wsnpoem, gorhax and kneber) command & control domain names. Zeus tracker has tracked more than 2,800 malicious zeus C&C servers. Zeus is spread mainly through drive-by downloads and phishing schemes.

The ZeuS feed is sporadically updated by the community, and the updates are prone to false positives because updates have shifted towards compromised sites rather than core ZeuS infrastructure.

Zeus tracker is a list of IP addresses of zeus servers (hosts) around the world.