This repository provides a free and regularly updated database of malicious hosts to support security researchers and practitioners in their threat intelligence efforts. The data is generated by leveraging the Abuse.ch SSL Certificate Blacklist and Netlas Internet Scan Data.
Important: The content of this repository is under active development. File formats, scripts, and structure may change in the near future.
Due to the large file size of the database (approximately 50–100 MB), it is hosted externally instead of being stored in this repository. You can access the latest version of the malicious hosts database at the following URL:
https://public.netlas.io/netlas_sslbl_malicious_hosts.csv (MD5)
The CSV version of database contains:
timestamp: Time when the entry was added to the dataset.host: The malicious host's domain name or IP address.port: The port where the malicious service is running.protocol: The protocol used by the service (e.g., HTTPS).path: The specific path to the malicious service, the part of the URI that comes after the domain name and port. For example, in the URIhttps://malicious.example.com:443/phishing, the path is/phishing.ip: The IP address of the malicious host. In the current release, this is always an IPv4 address.threat: The type of threat associated with the blacklisted certificate found on this host (e.g., CobaltStrike C&C).netlas:fseen: Timestamp of the first observed presence of the host in Netlas data.netlas:link: Link to detailed information about the host in Netlas.x509:sha1: The SHA-1 hash of the SSL certificate.x509:timestamp: The time the SSL certificate was flagged in the source feed.x509:link: A link to detailed information about the SSL certificate in the source feed.
-
Source Data:
We use the Abuse.ch SSL Certificate Blacklist, a publicly available feed of SSL certificates flagged for malicious activities such as malware distribution, and botnet operations. -
Search for Malicious Hosts:
Using SHA1 hashes of SSL certificates from the Abuse.ch feed, the latest Netlas Internet Scan Data is queried to identify active hosts utilizing these certificates. Hosts identified as active and matching malicious certificates are flagged and added to the dataset. -
Database Generation:
During each update, the script checks for existing records in the database. If a match is found, thetimestamp(indicating the last seen time) is updated. New records are added with the time when Netlas most recently scanned this host. -
Schedule:
The database is updated daily.
If you wish to reproduce the data yourself, please note that a paid Netlas account is required due to the large number of API requests and the volume of data needed for processing.
To reproduce the data, follow these steps:
-
Clone the repository
Download the repository to your local machine:git clone https://github.com/netlas-io/netlas-free-iocs.git cd netlas-free-iocs -
Install the requirements
Ensure the necessary dependencies are installed:pip install -r requirements.txt
-
Save the Netlas API key
Configure your Netlas API key using the Netlas SDK:netlas savekey YOUR_API_KEY
-
Run the script
Execute the update script to generate the latest dataset:bash update.sh
Anyone can freely use these repository contents. The data and scripts in this repository are licensed under the CC0 1.0 Universal License.
While attribution is not required, we kindly request that you credit Netlas.io if you use this data in your projects or publications. For example:
Data provided by Netlas.io
- All datasets are provided "as is" and on a best-effort basis.
- Netlas LLC cannot be held liable for false positives or damages resulting from the use of this dataset.