STIX feed integration · Network edge

Suricata — Malscan STIX Feed Integration

Datasets from the DNS feed, matched on dns.query at the wire

About the feeds

Block Vulnetix Malscan indicators at the network edge with Suricata: extract domains from the free per-ecosystem STIX 2.1 DNS feeds into a base64 string dataset and match every DNS query against it with a single rule.

The feeds

Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.

Wire the feeds into Suricata

Suricata string datasets are base64-encoded, one entry per line. The refresh script handles the encoding. Reload with suricatasc dataset-add or a rule reload; the single dataset rule then checks every DNS query on the wire.

Dataset refresh (cron) + matching rule

#!/bin/sh
# Refresh the dataset (string datasets are base64 per line)
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
  | jq -r '.objects[] | select(.type == "indicator") | .pattern' \
  | grep -oP "domain-name:value = '\K[^']+" | sort -u \
  | while read -r d; do printf '%s' "$d" | base64; done \
  > /var/lib/suricata/data/vulnetix-domains.lst

# vulnetix.rules
# alert dns any any -> any any (msg:"Vulnetix Malscan malicious domain"; \
#   dns.query; dataset:isset,vulnetix-domains,type string, \
#   load vulnetix-domains.lst; classtype:trojan-activity; sid:9100001; rev:1;)

Verify before you ingest

curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json
REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1)
LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1)
[ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"

Where the indicators come from

Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.

All STIX feed integrations →  ·  The campaigns behind the feeds →