Turn the free Vulnetix Malscan STIX 2.1 feeds into pfSense and OPNsense blocklists: extract IPs into a URL-table alias source and domains into a DNSBL custom list, refreshed on the firewall's own schedule.
The feeds
Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.
Wire the feeds into pfSense / OPNsense
Both firewalls consume plaintext lists: IPs via a URL-table alias (pfSense) or URL-type alias (OPNsense), domains via pfBlockerNG DNSBL or Unbound blocklists. Run the extraction on any internal host and serve the two text files over HTTP for the firewall to fetch.
Extraction (cron) + where to point the firewall
#!/bin/sh # On an internal host, refresh both lists every 15 minutes curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \ | jq -r '.objects[] | select(.type == "indicator") | .pattern' \ | grep -oP "ipv4-addr:value = '\K[^']+" | sort -u > vulnetix-ips.txt curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \ | jq -r '.objects[] | select(.type == "indicator") | .pattern' \ | grep -oP "domain-name:value = '\K[^']+" | sort -u > vulnetix-domains.txt cp vulnetix-ips.txt vulnetix-domains.txt /var/www/html/blocklists/ # pfSense: Firewall → Aliases → Add # Type "URL Table (IPs)" → http://intel.internal/blocklists/vulnetix-ips.txt # pfBlockerNG → DNSBL → DNSBL Groups → Add # Source: http://intel.internal/blocklists/vulnetix-domains.txt # OPNsense: Firewall → Aliases → Type "URL Table (IPs)" - same URL
Verify before you ingest
curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1) LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1) [ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"
Where the indicators come from
Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.
All STIX feed integrations → · The campaigns behind the feeds →