From 59a653e9065a6fc4996112b572a63c5e7b9491cb Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 1 May 2021 10:52:02 +0200
Subject: [PATCH] chg: [doc] list updated

---
 README.md | 112 ++++++++++++++++++++++++++++++------------------------
 1 file changed, 63 insertions(+), 49 deletions(-)

diff --git a/README.md b/README.md
index d9e627d..edb3619 100755
--- a/README.md
+++ b/README.md
@@ -9,55 +9,69 @@ are available in one of the list. The list can be globally enabled or disabled i
 
 # lists
 
-- [lists/akamai](lists/akamai) - Akamai networks
-- [lists/alexa](lists/alexa) - Top 1000 websites from Alexa
-- [lists/amazon-aws](lists/amazon-aws) - Known Amazon AWS IP address ranges
-- [lists/automated-malware-analysis](lists/automated-malware-analysis) - known domains used by automated malware analysis services
-- [lists/bank-website](lists/bank-website) - List of known banking website
-- [lists/cisco_top1000](lists/cisco_top1000) - Cisco (Umbrella) top 1000 websites
-- [lists/cloudflare](lists/cloudflare) - known IP ranges published by Cloudflare
-- [lists/common-ioc-false-positive](lists/common-ioc-false-positive) - common false-positives in IOCs
-- [lists/covid](lists/covid) - Valid covid-19 related domains
-- [lists/crl](lists/crl-ip-hostname) - Source IP addresses, hostname and url from CRL (certificate revocation list)
-- [lists/disposable-email](lists/disposable-email) - List of disposable email domains
-- [lists/eicar.com](lists/eicar.com) - hashes for EICAR test virus
-- [lists/empty-hashes](lists/empty-hashes) - hash values of empty files
-- [lists/google-gmail-sending-ips](lists/google-gmail-sending-ips) - known IP ranges use by Google gmail mail sending
-- [lists/google](lists/google) - known domains and hostnames from Google
-- [lists/googlebot](lists/googlebot) - known IP ranges for googlebot crawler
-- [lists/ipv6-linklocal](lists/ipv6-linklocal) - IPv6 link local prefix
-- [lists/majestic_million](lists/majestic_million) - List of top 10K of the most referring subnets (Majestic Million - 10K).
-- [lists/microsoft-attack-simulator](lists/microsoft-attack-simulator/) - known Office 365 hostnames and IP address used for Microsoft "Attack Simulator"
-- [lists/microsoft-azure](lists/microsoft-azure) - known Microsoft Azure Datacenter IP Ranges
-- [lists/microsoft-office365-cn](lists/microsoft-office365-cn) - known Office 365 IP address ranges in China
-- [lists/microsoft-office365-ip](lists/microsoft-office365-ip) - known Office 365 IP address ranges
-- [lists/microsoft-office365](lists/microsoft-office365) - known Office 365 URLs
-- [lists/microsoft-win10-connection-endpoints](lists/microsoft-win10-connection-endpoints/) - known Windows 10 connection endpoints
-- [lists/microsoft](lists/microsoft) - known Microsoft domains
-- [lists/mozilla-CA](lists/mozilla-CA) - Mozilla keystore CA
-- [lists/mozilla-IntermediateCA](lists/mozilla-IntermediateCA) - Mozilla keystore Intermediate CA
-- [lists/multicast](lists/multicast) - known IPv4 multicast CIDR blocks
-- [lists/ovh-cluster](lists/ovh-cluster) - List of known OVH Cluster IP
-- [lists/phone_numbers](lists/phone_numbers) - Unattributed phone number, reserved for different purposes
-- [lists/public-dns-v4](lists/public-dns-v4) - IPv4 addresses and reverse of public DNS resolver
-- [lists/public-dns-v6](lists/public-dns-v6) - IPv6 addresses and reverse of public DNS resolver
-- [lists/rfc1918](lists/rfc1918) - RFC 1918 network subnets
-- [lists/rfc3849](lists/rfc3849) - RFC 3849 - Documentation prefix for ipv6
-- [lists/rfc5735](lists/rfc5735) - RFC 5735 CIDR blocks - Special Use IPv4 Addresses
-- [lists/rfc6598](lists/rfc6598) - RFC 6598 IANA-Reserved IPv4 Prefix for Shared Address Space (Carrier- Grade NAT (CGN) devices)
-- [lists/rfc6761](lists/rfc6761) - RFC 6761 Special-Use Domain Names
-- [lists/second-level-tlds](lists/second-level-tlds) - Mozilla list of second level top-level domains
-- [lists/security-provider-blogpost](lists/security-provider-blogpost) - Security providers or vendors blog domains
-- [lists/sinkholes](lists/sinkholes) - List of known sinkholes
-- [lists/tlds](lists/tlds) - top-level domains
-- [lists/tranco](lists/tranco) - Top 1,000,000 domains from [Tranco](https://tranco-list.eu/)
-- [lists/tranco10k](lists/tranco10k) - Top 10K domains from [Tranco](https://tranco-list.eu/)
-- [lists/university_domains](lists/university_domains) - University domain names
-- [lists/url-shortener](lists/url-shortener) - URL shorteners services
-- [lists/vpn-ipv4](lists/vpn-ipv4) - Specialized list of IPv4 addresses belonging to common VPN providers and datacenters
-- [lists/vpn-ipv6](lists/vpn-ipv6) - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters
-- [lists/whats-my-ip](lists/whats-my-ip) - "What's my IP" service
-- [lists/wikimedia/list.json](lists/wikimedia/) - Lists of subnet used by Wikimedia (such as Wikipedia and alike)
+- [akamai/list.json](./akamai/list.json) - List of known Akamai IP ranges - _Akamai IP ranges from BGP search_
+- [alexa/list.json](./alexa/list.json) - Top 1000 website from Alexa - _Event contains one or more entries from the top 1000 of the most used website (Alexa)._
+- [amazon-aws/list.json](./amazon-aws/list.json) - List of known Amazon AWS IP address ranges - _Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)_
+- [automated-malware-analysis/list.json](./automated-malware-analysis/list.json) - List of known domains used by automated malware analysis services & security vendors - _Domains used by automated malware analysis services & security vendors_
+- [bank-website/list.json](./bank-website/list.json) - List of known bank domains - _Event contains one or more entries of known banking website_
+- [cisco_top1000/list.json](./cisco_top1000/list.json) - Top 1000 websites from Cisco Umbrella - _Event contains one or more entries from the top 1000 of the most used websites (Cisco Umbrella)._
+- [cisco_top10k/list.json](./cisco_top10k/list.json) - Top 10 000 websites from Cisco Umbrella - _Event contains one or more entries from the top 10 000 of the most used websites (Cisco Umbrella)._
+- [cisco_top20k/list.json](./cisco_top20k/list.json) - Top 20 000 websites from Cisco Umbrella - _Event contains one or more entries from the top 20 000 of the most used websites (Cisco Umbrella)._
+- [cisco_top5k/list.json](./cisco_top5k/list.json) - Top 5000 websites from Cisco Umbrella - _Event contains one or more entries from the top 5000 of the most used websites (Cisco Umbrella)._
+- [cloudflare/list.json](./cloudflare/list.json) - List of known Cloudflare IP ranges - _List of known Cloudflare IP ranges (https://www.cloudflare.com/ips/)_
+- [common-contact-emails/list.json](./common-contact-emails/list.json) - Common contact e-mail addresses - _A list of commonly used abuse and contact e-mail addresses, including the ones denoted in RFC2142._
+- [common-ioc-false-positive/list.json](./common-ioc-false-positive/list.json) - List of known hashes with common false-positives (based on Florian Roth input list) - _Event contains one or more entries with common false-positives_
+- [covid-19-cyber-threat-coalition-whitelist/list.json](./covid-19-cyber-threat-coalition-whitelist/list.json) - Covid-19 Cyber Threat Coalition's Whitelist - _The Cyber Threat Coalition's whitelist of COVID-19 related websites._
+- [covid-19-krassi-whitelist/list.json](./covid-19-krassi-whitelist/list.json) - Covid-19 Krassi's Whitelist - _Krassimir's Covid-19 whitelist of known good Covid-19 related websites._
+- [covid/list.json](./covid/list.json) - Valid covid-19 related domains - _Maintained using different lists (such as Jaime Blasco's and Krassimir's lists)._
+- [crl-ip-hostname/list.json](./crl-ip-hostname/list.json) - CRL Warninglist - _CRL Warninglist from threatstop (https://github.com/threatstop/crl-ocsp-whitelist/)_
+- [dax30/list.json](./dax30/list.json) - List of known dax30 webpages - _Event contains one or more entries of known dax30 webpages_
+- [disposable-email/list.json](./disposable-email/list.json) - List of disposable email domains - _List of disposable email domains_
+- [eicar.com/list.json](./eicar.com/list.json) - List of hashes for EICAR test virus - _Event contains one or more entries based on hashes for EICAR test virus_
+- [empty-hashes/list.json](./empty-hashes/list.json) - List of known hashes for empty files - _Event contains one or more entries of empty files based on known hashed_
+- [fastly/list.json](./fastly/list.json) - List of known Fastly IP address ranges - _Fastly IP address ranges (https://api.fastly.com/public-ip-list)_
+- [google-gcp/list.json](./google-gcp/list.json) - List of known GCP (Google Cloud Platform) IP address ranges - _GCP (Google Cloud Platform) IP address ranges (https://www.gstatic.com/ipranges/cloud.json)_
+- [google-gmail-sending-ips/list.json](./google-gmail-sending-ips/list.json) - List of known gmail sending IP ranges - _List of known gmail sending IP ranges (https://support.google.com/a/answer/27642?hl=en )_
+- [google/list.json](./google/list.json) - List of known google domains - _Event contains one or more entries of known google domains_
+- [googlebot/list.json](./googlebot/list.json) - List of known Googlebot IP ranges - _List of known Googlebot IP ranges (https://www.lifewire.com/what-is-the-ip-address-of-google-818153 )_
+- [ipv6-linklocal/list.json](./ipv6-linklocal/list.json) - List of IPv6 link local blocks - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
+- [majestic_million/list.json](./majestic_million/list.json) - Top 10K websites from Majestic Million - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
+- [microsoft-attack-simulator/list.json](./microsoft-attack-simulator/list.json) - List of known Office 365 Attack Simulator used for phishing awareness campaigns - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
+- [microsoft-azure/list.json](./microsoft-azure/list.json) - List of known Microsoft Azure Datacenter IP Ranges - _Microsoft Azure Datacenter IP Ranges_
+- [microsoft-office365-cn/list.json](./microsoft-office365-cn/list.json) - List of known Office 365 IP address ranges in China - _Office 365 IP address ranges in China_
+- [microsoft-office365-ip/list.json](./microsoft-office365-ip/list.json) - List of known Office 365 IP address ranges - _Office 365 IP address ranges_
+- [microsoft-office365/list.json](./microsoft-office365/list.json) - List of known Office 365 URLs - _Office 365 URLs and IP address ranges_
+- [microsoft-win10-connection-endpoints/list.json](./microsoft-win10-connection-endpoints/list.json) - List of known Windows 10 connection endpoints - _Event contains one or more entries of known Windows 10 connection endpoints (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints)_
+- [microsoft/list.json](./microsoft/list.json) - List of known microsoft domains - _Event contains one or more entries of known microsoft domains_
+- [moz-top500/list.json](./moz-top500/list.json) - Top 500 domains and pages from https://moz.com/top500 - _Event contains one or more entries from the top 500 of the most used domains (Mozilla)._
+- [mozilla-CA/list.json](./mozilla-CA/list.json) - Fingerprint of trusted CA certificates - _Fingerprint of trusted CA certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA_
+- [mozilla-IntermediateCA/list.json](./mozilla-IntermediateCA/list.json) - Fingerprint of known intermedicate of trusted certificates - _Fingerprint of known intermedicate of trusted certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA_
+- [multicast/list.json](./multicast/list.json) - List of RFC 5771 multicast CIDR blocks - _Event contains one or more entries part of the RFC 5771 multicast CIDR blocks_
+- [nioc-filehash/list.json](./nioc-filehash/list.json) - List of known hashes for benign files - _Event contains one or more benign files based on known hashes, see https://github.com/RichieB2B/nioc_
+- [ovh-cluster/list.json](./ovh-cluster/list.json) - List of known Ovh Cluster IP - _OVH Cluster IP address (https://docs.ovh.com/fr/hosting/liste-des-adresses-ip-des-clusters-et-hebergements-web/)_
+- [phone_numbers/list.json](./phone_numbers/list.json) - Unattributed phone number. - _Numbers that cannot be attributed because they reserved for different purposes._
+- [public-dns-hostname/list.json](./public-dns-hostname/list.json) - List of known public DNS resolvers expressed as hostname - _Event contains one or more public DNS resolvers (expressed as hostname) as attribute with an IDS flag set_
+- [public-dns-v4/list.json](./public-dns-v4/list.json) - List of known IPv4 public DNS resolvers - _Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set_
+- [public-dns-v6/list.json](./public-dns-v6/list.json) - List of known IPv6 public DNS resolvers - _Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set_
+- [rfc1918/list.json](./rfc1918/list.json) - List of RFC 1918 CIDR blocks - _Event contains one or more entries part of the RFC 1918 CIDR blocks_
+- [rfc3849/list.json](./rfc3849/list.json) - List of RFC 3849 CIDR blocks - _Event contains one or more entries part of the IPv6 documentation prefix (RFC 3849)_
+- [rfc5735/list.json](./rfc5735/list.json) - List of RFC 5735 CIDR blocks - _Event contains one or more entries part of the RFC 5735 CIDR blocks - Special Use IPv4 Addresses_
+- [rfc6598/list.json](./rfc6598/list.json) - List of RFC 6598 CIDR blocks - _Event contains one or more entries part of the RFC 6598 CIDR blocks - Special Use IPv4 Addresses_
+- [rfc6761/list.json](./rfc6761/list.json) - List of RFC 6761 Special-Use Domain Names - _Event contains one or more entries part of the RFC 6761 Special-Use Domain Names_
+- [second-level-tlds/list.json](./second-level-tlds/list.json) - Second level TLDs as known by Mozilla Foundation - _Event contains one or more second level TLDs as attribute with an IDS flag set_
+- [security-provider-blogpost/list.json](./security-provider-blogpost/list.json) - List of known security providers/vendors blog domain - _Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set_
+- [sinkholes/list.json](./sinkholes/list.json) - List of known sinkholes - _List of known sinkholes_
+- [stackpath/list.json](./stackpath/list.json) - List of known Stackpath CDN IP ranges - _List of known Stackpath (Highwinds) CDN IP ranges (https://support.stackpath.com/hc/en-us/articles/360001091666-Whitelist-CDN-WAF-IP-Blocks)_
+- [ti-falsepositives/list.json](./ti-falsepositives/list.json) - Hashes that are often included in IOC lists but are false positives. - _Hashes that are often included in IOC lists but are false positives._
+- [tlds/list.json](./tlds/list.json) - TLDs as known by IANA - _Event contains one or more TLDs as attribute with an IDS flag set_
+- [tranco/list.json](./tranco/list.json) - Top 1,000,000 most-used sites from Tranco - _Event contains one or more entries from the top 1,000,000 most-used sites (https://tranco-list.eu/)._
+- [tranco10k/list.json](./tranco10k/list.json) - Top 10K most-used sites from Tranco - _Event contains one or more entries from the top 10K most-used sites (https://tranco-list.eu/)._
+- [university_domains/list.json](./university_domains/list.json) - University domains - _List of University domains from https://raw.githubusercontent.com/Hipo/university-domains-list/master/world_universities_and_domains.json_
+- [url-shortener/list.json](./url-shortener/list.json) - List of known URL Shorteners domains - _Event contains one or more entries of known Shorteners domains_
+- [vpn-ipv4/list.json](./vpn-ipv4/list.json) - Specialized list of IPv4 addresses belonging to common VPN providers and datacenters - _Specialized list of IPv4 addresses belonging to common VPN providers and datacenters_
+- [vpn-ipv6/list.json](./vpn-ipv6/list.json) - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters - _Specialized list of IPv6 addresses belonging to common VPN providers and datacenters_
+- [whats-my-ip/list.json](./whats-my-ip/list.json) - List of known domains to know external IP - _Event contains one or more entries of known 'what's my ip' domains_
+- [wikimedia/list.json](./wikimedia/list.json) - List of known Wikimedia address ranges - _Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)_
 
 # Format of a warning list