Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Top-100 Malicious IP STIX Feed - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Top-100 Malicious IP STIX Feed

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)

$ curl
<?xml version="1.0" encoding="UTF-8"?>

You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?

Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:

  xmlns:xlink="" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2"> 
      <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'>
        <indicator:Title>SANS ISC Malicious IP</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266">
          <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">

The script is available in my GitHub repository[4].

If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements. 


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022


697 Posts
ISC Handler
Nov 17th 2017
This worked great! I am able to pop the URL directly into my intelligence feeds with no issue at all.

Thank you for the quick response to my original ask!

6 Posts
This is great - thanks for making this data available in STIX. Your STIX looks good, the only change I would suggest making is adding the "condition" attribute to the IP address value:

> ip.condition = "Equals"

Otherwise, I would suggest also making this available in the new STIX 2.0 JSON format. You can use the cti-stix-elevator utility to do this, which takes as input a STIX 1.2 XML file:


2 Posts
Thank you for your feedback, Ivan!
I'll have a look at this and update the feed. I'm not a STIX guru ;-)

697 Posts
ISC Handler
Changes completed.
There are two feeds available now:… (STIX 1.2)… (STIX 2.0)
Let me know if it works for you...

697 Posts
ISC Handler
Awesome! The updated STIX 1.2 feed looks great, as does the STIX 2.0 feed (thanks for adding it!).

2 Posts

Sign Up for Free or Log In to start participating in the conversation!