SourceFire Security Intelligence Feed Info

I’ve had my hands on some Cisco FireSight/FirePower gear for a few months.  I spent some time digging for some info on the SourceFire Security Intelligence Feed categories, and sources for the addresses included in the feed.  Basically, I wanted a better description for some of the categories (although most of them are self-explanatory), and i wanted to know where they were aggregating information aside from what is populated by VRT/Talos.  It wasn’t the most readily available information when I was searching for it, so I’m sharing some of what I found here.

As it turns out, if you SSH in to your FireSight (previously known as Defense Center) host and view rep_dd.yaml from the /var/sf/iprep_download/ directory, there are some longer explanations given for what each category is and the sources.  Here is a consolidated list of the sources and categories:

VRT Intelligence Service A comprehensive blacklist for enterprise users that contains information on botnets, exploit sites, malicious URLs, and other nefarious activity.This is a proprietary list of addresses that is maintained by the VRT team (now known as Talos at Cisco).
Feodo Tracker A continually updated list of all malicious Feodo/Cridex/Bugat sites catalogued at
Malware Domain List A continually updated list of all malicious URLs offered by the free service
Palevo Tracker A Continually updates list of all malicious Palevo sites catalogued at
SpyEye Tracker A continually updated list of all malicious SpyEye sites catalogued at
ZeuS Tracker A continually updated list of all malicious ZeuS sites catalogued at
Attackers Hosts that are continually scanning for vulnerabilities or attempting to exploit other systems
Bogon IP Addresses that are known to not be allocated but are sending traffic
Bots Hosts that are actively participating as part of a botnet, and are being controlled by a known botnet contoller
CnC Hosts that have been identified as the controllering servers for a known Botnet
Malware Hosts that are attempting to propogate malware or are actively attacking anyone who visits them
Open Proxy Hosts that are known to run Open Web Proxies and offer anonymous web browsing services
Open Relay Hosts that are known to offer anonymous email relaying services used by spam and phishing attackers
Phishing Hosts that are actively attempting to trick end users into entering confidential information like usernames and passwords
Response Addresses that have been repeatedly observed engaging in suspicious or malicious behaviorOr, as @JoelEsler said when I asked him on twitter – “The Response category is where we send things to die. :)  Those are specifically from the research team and are active campaigns.”
Spam Hosts that have been identified as the source of sending spam email messages
Suspicious Hosts that are displaying suspicious activity and are under active investigation
Tor Exit Nodes Hosts known to offer exit node services for the Tor Anonymizer network

This info may be blatantly obvious, but after correlating Sources to Categories:

  • Feodo Tracker addresses are always CnC
  • Malware Domain List addresses are always Malware
  • Palevo Tracker addresses are always CnC
  • Zeus Tracker addresses are always CnC, and they’re the 2nd most populated list right now
  • There are no SpyEye addresses, but I assume they would also be CnC
  • The VRT Intel list contains more addresses than any other list (by far) at over 10,000 entries, and they are from all categories with the exception of Bogon, Open Proxy, Open Relay, and Suspicious, which are each empty lists at the moment.
SourceFire Security Intelligence Feed Info