STIX feed integration · Network edge

pfSense / OPNsense — Malscan STIX Feed Integration

Firewall aliases and DNSBL lists derived from the feeds

About the feeds

Turn the free Vulnetix Malscan STIX 2.1 feeds into pfSense and OPNsense blocklists: extract IPs into a URL-table alias source and domains into a DNSBL custom list, refreshed on the firewall's own schedule.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into pfSense / OPNsense

Both firewalls consume plaintext lists: IPs via a URL-table alias (pfSense) or URL-type alias (OPNsense), domains via pfBlockerNG DNSBL or Unbound blocklists. Run the extraction on any internal host and serve the two text files over HTTP for the firewall to fetch.

Extraction (cron) + where to point the firewall

#!/bin/sh
# On an internal host, refresh both lists every 15 minutes
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
  | jq -r '.objects[] | select(.type == "indicator") | .pattern' \
  | grep -oP "ipv4-addr:value = '\K[^']+" | sort -u > vulnetix-ips.txt
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
  | jq -r '.objects[] | select(.type == "indicator") | .pattern' \
  | grep -oP "domain-name:value = '\K[^']+" | sort -u > vulnetix-domains.txt
cp vulnetix-ips.txt vulnetix-domains.txt /var/www/html/blocklists/

# pfSense:  Firewall → Aliases → Add
#   Type "URL Table (IPs)"  →  http://intel.internal/blocklists/vulnetix-ips.txt
# pfBlockerNG → DNSBL → DNSBL Groups → Add
#   Source: http://intel.internal/blocklists/vulnetix-domains.txt
# OPNsense: Firewall → Aliases → Type "URL Table (IPs)" - same URL

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →