Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.
The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)
$ curl https://isc.sans.edu/api/topips/records/100 1 046.101.124.074 132723 110 2 130.211.015.150 21166 4474 ...
You can select the output format by appending a “?” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?
Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the “/topips/records/100” API call into a STIX 1.2 XML format:
SANS ISC Malicious IP
IP Watchlist
46.101.124.74
The script is available in my GitHub repository[4].
If you want to test, I’m publishing a live feed[5] (updated every 2 hours). Let me know if it’s useful to you, if the STIX file is correct (read: I’m not a STIX guru) or if you need some improvements.
[1] https://stixproject.github.io/
[2] https://isc.sans.edu/api/
[3] https://github.com/STIXProject/python-stix
[4] https://github.com/xme/toolbox/blob/master/isc2stix.py
[5] https://misp.truesec.be/isc-top-100-stix.xml
Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.