19 KiB
Executable File
misp-warninglist
misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
The warning lists are integrated in MISP to display an info/warning box at the event and attribute level if such indicators are available in one of the list. The lists are also used to filter potential false-positive at API level. The list can be globally enabled or disabled in MISP following the practices of the organization. The warning lists are reused in many other open source projects.
lists
- akamai/list.json - List of known Akamai IP ranges - Akamai IP ranges from BGP search
- alexa/list.json - Top 1000 website from Alexa - Event contains one or more entries from the top 1000 of the most used website (Alexa).
- amazon-aws/list.json - List of known Amazon AWS IP address ranges - Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)
- apple/list.json - List of known Apple IP ranges - IP ranges assigned to Apple
- automated-malware-analysis/list.json - List of known domains used by automated malware analysis services & security vendors - Domains used by automated malware analysis services & security vendors
- bank-website/list.json - List of known bank domains - Event contains one or more entries of known banking website
- captive-portals/list.json - Captive Portal Detection Hostnames - Hostnames used by different desktop and mobile device operating systems for captive portal detection as documented by the Wireless Broadband Alliance.
- censys-scanning/list.json - Censys IP Ranges Used for Scanning - List containing IP's associated with Censys scanning [https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection#Can_I_opt_out_of_Censys_data_collection?]
- cisco_top1000/list.json - Top 1000 websites from Cisco Umbrella - Event contains one or more entries from the top 1000 of the most used websites (Cisco Umbrella).
- cisco_top10k/list.json - Top 10 000 websites from Cisco Umbrella - Event contains one or more entries from the top 10 000 of the most used websites (Cisco Umbrella).
- cisco_top20k/list.json - Top 20 000 websites from Cisco Umbrella - Event contains one or more entries from the top 20 000 of the most used websites (Cisco Umbrella).
- cisco_top5k/list.json - Top 5000 websites from Cisco Umbrella - Event contains one or more entries from the top 5000 of the most used websites (Cisco Umbrella).
- cloudflare/list.json - List of known Cloudflare IP ranges - List of known Cloudflare IP ranges (https://www.cloudflare.com/ips/)
- common-contact-emails/list.json - Common contact e-mail addresses - A list of commonly used abuse and contact e-mail addresses, including the ones denoted in RFC2142.
- common-ioc-false-positive/list.json - List of known hashes with common false-positives (based on Florian Roth input list) - Event contains one or more entries with common false-positives
- covid-19-cyber-threat-coalition-whitelist/list.json - Covid-19 Cyber Threat Coalition's Whitelist - The Cyber Threat Coalition's whitelist of COVID-19 related websites.
- covid-19-krassi-whitelist/list.json - Covid-19 Krassi's Whitelist - Krassimir's Covid-19 whitelist of known good Covid-19 related websites.
- covid/list.json - Valid covid-19 related domains - Maintained using different lists (such as Jaime Blasco's and Krassimir's lists).
- crl-hostname/list.json - CRL and OCSP domains - Domains that belongs to CRL or OCSP
- crl-ip/list.json - CRL and OCSP IP addresses - IP addresses that belongs to CRL or OCSP
- dax30/list.json - List of known dax30 webpages - Event contains one or more entries of known dax30 webpages
- digitalside/list.json - OSINT.DigitalSide.IT Warning List - "OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged
- disposable-email/list.json - List of disposable email domains - List of disposable email domains
- dynamic-dns/list.json - List of known dynamic DNS domains - Event contains one or more entries of known dynamic DNS domains.
- eicar.com/list.json - List of hashes for EICAR test virus - Event contains one or more entries based on hashes for EICAR test virus
- empty-hashes/list.json - List of known hashes for empty files - Event contains one or more entries of empty files based on known hashed
- fastly/list.json - List of known Fastly IP address ranges - Fastly IP address ranges (https://api.fastly.com/public-ip-list)
- findip-host/list.json - List of known hostname used for querying your source IP. This can be used as exclusion for your Passive DNS lookup. - Event contains one or more entries of known hostname querying your source IP.
- google-chrome-crux-1million/list.json - google-chrome-crux-1million - Cached Chrome Top Million Websites - top 1 million
- google-gcp/list.json - List of known GCP (Google Cloud Platform) IP address ranges - GCP (Google Cloud Platform) IP address ranges (https://www.gstatic.com/ipranges/cloud.json)
- google-gmail-sending-ips/list.json - List of known Gmail sending IP ranges - List of known Gmail sending IP ranges (https://support.google.com/a/answer/27642?hl=en)
- google/list.json - List of known google domains - Event contains one or more entries of known google domains
- googlebot/list.json - List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json) - Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)
- ipv6-linklocal/list.json - List of IPv6 link local blocks - Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)
- link-in-bio/list.json - List of known Link in Bio domains - Event contains one or more entries of known Link in Bio domains
- majestic_million/list.json - Top 10000 websites from Majestic Million - Event contains one or more entries from the top 10K of the most used websites (Majestic Million).
- microsoft-attack-simulator/list.json - List of known Office 365 Attack Simulator used for phishing awareness campaigns - Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence
- microsoft-azure-appid/list.json - List of Azure Applicaiton IDs - List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)
- microsoft-azure-china/list.json - List of known Microsoft Azure China Datacenter IP Ranges - Microsoft Azure China Datacenter IP Ranges
- microsoft-azure-germany/list.json - List of known Microsoft Azure Germany Datacenter IP Ranges - Microsoft Azure Germany Datacenter IP Ranges
- microsoft-azure-us-gov/list.json - List of known Microsoft Azure US Government Cloud Datacenter IP Ranges - Microsoft Azure US Government Cloud Datacenter IP Ranges
- microsoft-azure/list.json - List of known Microsoft Azure Datacenter IP Ranges - Microsoft Azure Datacenter IP Ranges
- microsoft-office365-cn/list.json - List of known Office 365 IP address ranges in China - Office 365 IP address ranges in China
- microsoft-office365-ip/list.json - List of known Office 365 IP address ranges - Office 365 IP address ranges
- microsoft-office365/list.json - List of known Office 365 URLs - Office 365 URLs and IP address ranges
- microsoft-win10-connection-endpoints/list.json - List of known Windows 10 connection endpoints - Event contains one or more entries of known Windows 10 connection endpoints (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints)
- microsoft/list.json - List of known microsoft domains - Event contains one or more entries of known microsoft domains
- moz-top500/list.json - Top 500 domains and pages from https://moz.com/top500 - Event contains one or more entries from the top 500 of the most used domains from Moz.
- mozilla-CA/list.json - Fingerprint of trusted CA certificates - Fingerprint of trusted CA certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA
- mozilla-IntermediateCA/list.json - Fingerprint of known intermediate of trusted certificates - Fingerprint of known intermediate of trusted certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA
- multicast/list.json - List of RFC 5771 multicast CIDR blocks - Event contains one or more entries part of the RFC 5771 multicast CIDR blocks
- nioc-filehash/list.json - List of known hashes for benign files - Event contains one or more benign files based on known hashes, see https://github.com/RichieB2B/nioc
- openai-gptbot/list.json - List of known IP address ranges for OpenAI GPT crawler bot - OpenAI gptbot crawler (https://openai.com/gptbot-ranges.txt)
- ovh-cluster/list.json - List of known Ovh Cluster IP - OVH Cluster IP address (https://docs.ovh.com/fr/hosting/liste-des-adresses-ip-des-clusters-et-hebergements-web/)
- parking-domain-ns/list.json - Parking domains name server - List of parking domain's name server
- parking-domain/list.json - Parking domains - List of parking domain's ip adresses
- phone_numbers/list.json - Unattributed phone number. - Numbers that cannot be attributed because they reserved for different purposes.
- public-dns-hostname/list.json - List of known public DNS resolvers expressed as hostname - Event contains one or more public DNS resolvers (expressed as hostname) as attribute with an IDS flag set
- public-dns-v4/list.json - List of known IPv4 public DNS resolvers - Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set
- public-dns-v6/list.json - List of known IPv6 public DNS resolvers - Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set
- public-ipfs-gateways/list.json - List of known public IPFS gateways - Event contains one or more entries of known public IPFS gateways
- rfc1918/list.json - List of RFC 1918 CIDR blocks - Event contains one or more entries part of the private network CIDR blocks (RFC 1918)
- rfc3849/list.json - List of RFC 3849 CIDR blocks - Event contains one or more entries part of the IPv6 documentation prefix (RFC 3849)
- rfc5735/list.json - List of RFC 5735 CIDR blocks - Event contains one or more entries part of the Special Use IPv4 Addresses CIDR blocks (RFC 5735)
- rfc6598/list.json - List of RFC 6598 CIDR blocks - Event contains one or more entries part of the Shared Address Space CIDR blocks (RFC 6598)
- rfc6761/list.json - List of RFC 6761 Special-Use Domain Names - Event contains one or more entries part of the Special-Use Domain Names (RFC 6761)
- second-level-tlds/list.json - Second level TLDs as known by Mozilla Foundation - Event contains one or more second level TLDs as attribute with an IDS flag set.
- security-provider-blogpost/list.json - List of known security providers/vendors blog domain - Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set
- sinkholes/list.json - List of known sinkholes - List of known sinkholes
- smtp-receiving-ips/list.json - List of known SMTP receiving IP addresses - List of IP addresses for known SMTP servers.
- smtp-sending-ips/list.json - List of known SMTP sending IP ranges - List of IP ranges for known SMTP servers.
- stackpath/list.json - List of known Stackpath CDN IP ranges - List of known Stackpath (Highwinds) CDN IP ranges (https://support.stackpath.com/hc/en-us/articles/360001091666-Whitelist-CDN-WAF-IP-Blocks)
- tenable-cloud-ipv4/list.json - List of known Tenable Cloud Sensors IPv4 - Tenable IPv4 Cloud Sensor addresses used for scanning Internet-facing infrastructure
- tenable-cloud-ipv6/list.json - List of known Tenable Cloud Sensors IPv6 - Tenable IPv6 Cloud Sensor addresses used for scanning Internet-facing infrastructure
- ti-falsepositives/list.json - Hashes that are often included in IOC lists but are false positives. - Hashes that are often included in IOC lists but are false positives.
- tlds/list.json - TLDs as known by IANA - Event contains one or more TLDs as attribute with an IDS flag set
- tranco/list.json - Top 1,000,000 most-used sites from Tranco - Event contains one or more entries from the top 1,000,000 most-used sites (https://tranco-list.eu/).
- tranco10k/list.json - Top 10K most-used sites from Tranco - Event contains one or more entries from the top 10K most-used sites (https://tranco-list.eu/).
- umbrella-blockpage-hostname/list.json - cisco-umbrella-blockpage-hostname - Umbrella blockpage hostnames
- umbrella-blockpage-v4/list.json - cisco-umbrella-blockpage-ipv4 - Cisco Umbrella blockpage in IPv4
- umbrella-blockpage-v6/list.json - cisco-umbrella-blockpage-ipv6 - Cisco Umbrella blockpage in IPv6
- university_domains/list.json - University domains - List of University domains from https://raw.githubusercontent.com/Hipo/university-domains-list/master/world_universities_and_domains.json
- url-shortener/list.json - List of known URL Shorteners domains - Event contains one or more entries of known Shorteners domains
- vpn-ipv4/list.json - Specialized list of vpn-ipv4 addresses belonging to common VPN providers and datacenters - Specialized list of vpn-ipv4 addresses belonging to common VPN providers and datacenters
- vpn-ipv6/list.json - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters
- whats-my-ip/list.json - List of known domains to know external IP - Event contains one or more entries of known 'what's my ip' domains
- wikimedia/list.json - List of known Wikimedia address ranges - Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)
- zscaler/list.json - List of known Zscaler IP address ranges - Zscaler IP address ranges (https://config.zscaler.com/api/zscaler.net/hubs/cidr/json/required)
Format of a warning list
{
"name": "List of known public DNS resolvers",
"version": 1,
"description": "Event contains one or more public DNS resolvers as attribute with an IDS flag set",
"matching_attributes": [
"ip-src",
"ip-dst"
],
"list": [
"8.8.8.8",
"8.8.4.4",
"208.67.222.222",
"208.67.220.220",
"195.46.39.39",
"195.46.39.40"
]
}
If matching_attributes are not set, the list is matched against any type of attributes.
type of warning list
string
(default) - perfect match of a string in the warning list against matching attributessubstring
- substring matching of a string in the warning list against matching attributeshostname
- hostname matching (e.g. domain matching from URL) of a string in the warning list against matching attributescidr
- IP or CDIR block matching in the warning list against matching attributesregex
- regex matching of a string matching attributes
Processing warning lists in python
See PyMISPWarningLists for a python interface to warning lists.
Using warning lists in Earthly builds
Lists are exposed to Earthly builds through the target export-lists
. Earthfiles can directly reference them in their copy statements as follows:
COPY github.com/MISP/misp-warninglists[:commit]+export-lists/lists/<list-name>/list.json ./
License
MISP warning-lists are licensed under CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication. If a specific author of a warning-list (or associated source) wants to license it under a different license, a pull request can be requested.