Alexandre Dulaunoy 59a653e906 | ||
---|---|---|
.github/workflows | ||
lists | ||
tools | ||
.gitchangelog.rc | ||
.gitignore | ||
.travis.yml | ||
README.md | ||
generate_all.sh | ||
jq_all_the_things.sh | ||
requirements.txt | ||
schema.json | ||
validate_all.sh |
README.md
misp-warninglist
misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
The warning lists are integrated in MISP to display an info/warning box at the event and attribute level if such indicators are available in one of the list. The list can be globally enabled or disabled in MISP following the practices of the organization.
lists
- akamai/list.json - List of known Akamai IP ranges - Akamai IP ranges from BGP search
- alexa/list.json - Top 1000 website from Alexa - Event contains one or more entries from the top 1000 of the most used website (Alexa).
- amazon-aws/list.json - List of known Amazon AWS IP address ranges - Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)
- automated-malware-analysis/list.json - List of known domains used by automated malware analysis services & security vendors - Domains used by automated malware analysis services & security vendors
- bank-website/list.json - List of known bank domains - Event contains one or more entries of known banking website
- cisco_top1000/list.json - Top 1000 websites from Cisco Umbrella - Event contains one or more entries from the top 1000 of the most used websites (Cisco Umbrella).
- cisco_top10k/list.json - Top 10 000 websites from Cisco Umbrella - Event contains one or more entries from the top 10 000 of the most used websites (Cisco Umbrella).
- cisco_top20k/list.json - Top 20 000 websites from Cisco Umbrella - Event contains one or more entries from the top 20 000 of the most used websites (Cisco Umbrella).
- cisco_top5k/list.json - Top 5000 websites from Cisco Umbrella - Event contains one or more entries from the top 5000 of the most used websites (Cisco Umbrella).
- cloudflare/list.json - List of known Cloudflare IP ranges - List of known Cloudflare IP ranges (https://www.cloudflare.com/ips/)
- common-contact-emails/list.json - Common contact e-mail addresses - A list of commonly used abuse and contact e-mail addresses, including the ones denoted in RFC2142.
- common-ioc-false-positive/list.json - List of known hashes with common false-positives (based on Florian Roth input list) - Event contains one or more entries with common false-positives
- covid-19-cyber-threat-coalition-whitelist/list.json - Covid-19 Cyber Threat Coalition's Whitelist - The Cyber Threat Coalition's whitelist of COVID-19 related websites.
- covid-19-krassi-whitelist/list.json - Covid-19 Krassi's Whitelist - Krassimir's Covid-19 whitelist of known good Covid-19 related websites.
- covid/list.json - Valid covid-19 related domains - Maintained using different lists (such as Jaime Blasco's and Krassimir's lists).
- crl-ip-hostname/list.json - CRL Warninglist - CRL Warninglist from threatstop (https://github.com/threatstop/crl-ocsp-whitelist/)
- dax30/list.json - List of known dax30 webpages - Event contains one or more entries of known dax30 webpages
- disposable-email/list.json - List of disposable email domains - List of disposable email domains
- eicar.com/list.json - List of hashes for EICAR test virus - Event contains one or more entries based on hashes for EICAR test virus
- empty-hashes/list.json - List of known hashes for empty files - Event contains one or more entries of empty files based on known hashed
- fastly/list.json - List of known Fastly IP address ranges - Fastly IP address ranges (https://api.fastly.com/public-ip-list)
- google-gcp/list.json - List of known GCP (Google Cloud Platform) IP address ranges - GCP (Google Cloud Platform) IP address ranges (https://www.gstatic.com/ipranges/cloud.json)
- google-gmail-sending-ips/list.json - List of known gmail sending IP ranges - List of known gmail sending IP ranges (https://support.google.com/a/answer/27642?hl=en )
- google/list.json - List of known google domains - Event contains one or more entries of known google domains
- googlebot/list.json - List of known Googlebot IP ranges - List of known Googlebot IP ranges (https://www.lifewire.com/what-is-the-ip-address-of-google-818153 )
- ipv6-linklocal/list.json - List of IPv6 link local blocks - Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)
- majestic_million/list.json - Top 10K websites from Majestic Million - Event contains one or more entries from the top 10K of the most used websites (Majestic Million).
- microsoft-attack-simulator/list.json - List of known Office 365 Attack Simulator used for phishing awareness campaigns - Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence
- microsoft-azure/list.json - List of known Microsoft Azure Datacenter IP Ranges - Microsoft Azure Datacenter IP Ranges
- microsoft-office365-cn/list.json - List of known Office 365 IP address ranges in China - Office 365 IP address ranges in China
- microsoft-office365-ip/list.json - List of known Office 365 IP address ranges - Office 365 IP address ranges
- microsoft-office365/list.json - List of known Office 365 URLs - Office 365 URLs and IP address ranges
- microsoft-win10-connection-endpoints/list.json - List of known Windows 10 connection endpoints - Event contains one or more entries of known Windows 10 connection endpoints (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints)
- microsoft/list.json - List of known microsoft domains - Event contains one or more entries of known microsoft domains
- moz-top500/list.json - Top 500 domains and pages from https://moz.com/top500 - Event contains one or more entries from the top 500 of the most used domains (Mozilla).
- mozilla-CA/list.json - Fingerprint of trusted CA certificates - Fingerprint of trusted CA certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA
- mozilla-IntermediateCA/list.json - Fingerprint of known intermedicate of trusted certificates - Fingerprint of known intermedicate of trusted certificates taken from Mozilla's lists at https://wiki.mozilla.org/CA
- multicast/list.json - List of RFC 5771 multicast CIDR blocks - Event contains one or more entries part of the RFC 5771 multicast CIDR blocks
- nioc-filehash/list.json - List of known hashes for benign files - Event contains one or more benign files based on known hashes, see https://github.com/RichieB2B/nioc
- ovh-cluster/list.json - List of known Ovh Cluster IP - OVH Cluster IP address (https://docs.ovh.com/fr/hosting/liste-des-adresses-ip-des-clusters-et-hebergements-web/)
- phone_numbers/list.json - Unattributed phone number. - Numbers that cannot be attributed because they reserved for different purposes.
- public-dns-hostname/list.json - List of known public DNS resolvers expressed as hostname - Event contains one or more public DNS resolvers (expressed as hostname) as attribute with an IDS flag set
- public-dns-v4/list.json - List of known IPv4 public DNS resolvers - Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set
- public-dns-v6/list.json - List of known IPv6 public DNS resolvers - Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set
- rfc1918/list.json - List of RFC 1918 CIDR blocks - Event contains one or more entries part of the RFC 1918 CIDR blocks
- rfc3849/list.json - List of RFC 3849 CIDR blocks - Event contains one or more entries part of the IPv6 documentation prefix (RFC 3849)
- rfc5735/list.json - List of RFC 5735 CIDR blocks - Event contains one or more entries part of the RFC 5735 CIDR blocks - Special Use IPv4 Addresses
- rfc6598/list.json - List of RFC 6598 CIDR blocks - Event contains one or more entries part of the RFC 6598 CIDR blocks - Special Use IPv4 Addresses
- rfc6761/list.json - List of RFC 6761 Special-Use Domain Names - Event contains one or more entries part of the RFC 6761 Special-Use Domain Names
- second-level-tlds/list.json - Second level TLDs as known by Mozilla Foundation - Event contains one or more second level TLDs as attribute with an IDS flag set
- security-provider-blogpost/list.json - List of known security providers/vendors blog domain - Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set
- sinkholes/list.json - List of known sinkholes - List of known sinkholes
- stackpath/list.json - List of known Stackpath CDN IP ranges - List of known Stackpath (Highwinds) CDN IP ranges (https://support.stackpath.com/hc/en-us/articles/360001091666-Whitelist-CDN-WAF-IP-Blocks)
- ti-falsepositives/list.json - Hashes that are often included in IOC lists but are false positives. - Hashes that are often included in IOC lists but are false positives.
- tlds/list.json - TLDs as known by IANA - Event contains one or more TLDs as attribute with an IDS flag set
- tranco/list.json - Top 1,000,000 most-used sites from Tranco - Event contains one or more entries from the top 1,000,000 most-used sites (https://tranco-list.eu/).
- tranco10k/list.json - Top 10K most-used sites from Tranco - Event contains one or more entries from the top 10K most-used sites (https://tranco-list.eu/).
- university_domains/list.json - University domains - List of University domains from https://raw.githubusercontent.com/Hipo/university-domains-list/master/world_universities_and_domains.json
- url-shortener/list.json - List of known URL Shorteners domains - Event contains one or more entries of known Shorteners domains
- vpn-ipv4/list.json - Specialized list of IPv4 addresses belonging to common VPN providers and datacenters - Specialized list of IPv4 addresses belonging to common VPN providers and datacenters
- vpn-ipv6/list.json - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters
- whats-my-ip/list.json - List of known domains to know external IP - Event contains one or more entries of known 'what's my ip' domains
- wikimedia/list.json - List of known Wikimedia address ranges - Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)
Format of a warning list
{
"name": "List of known public DNS resolvers",
"version": 1,
"description": "Event contains one or more public DNS resolvers as attribute with an IDS flag set",
"matching_attributes": [
"ip-src",
"ip-dst"
],
"list": [
"8.8.8.8",
"8.8.4.4",
"208.67.222.222",
"208.67.220.220",
"195.46.39.39",
"195.46.39.40"
]
}
If matching_attributes are not set, the list is matched against any type of attributes.
type of warning list
string
(default) - perfect match of a string in the warning list against matching attributessubstring
- substring matching of a string in the warning list against matching attributeshostname
- hostname matching (e.g. domain matching from URL) of a string in the warning list against matching attributescidr
- IP or CDIR block matching in the warning list against matching attributesregex
- regex matching of a string matching attributes
Processing warning lists in python
See PyMISPWarningLists for a python interface to warning lists.
License
MISP warning-lists are licensed under CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication. If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.