Multiple TIBCO Products CVE-2014-2542 Multiple HTML Injection Vulnerabilities
Linux kernel CVE-2017-15115 Local Denial of Service Vulnerability
Cisco Umbrella Insights Virtual Appliance CVE-2017-12350 Local Privilege Escalation Vulnerability
Oracle Tuxedo CVE-2017-10267 Remote Security Vulnerability
Apache Camel CVE-2017-12633 Deserialization Remote Code Execution Vulnerability
Apache Camel CVE-2017-12634 Deserialization Remote Code Execution Vulnerability
Apache CouchDB CVE-2017-12635 Remote Privilege Escalation Vulnerability
Cisco IP Phone 8800 Series CVE-2017-12305 Local Command Injection Vulnerability
[security bulletin] HPESBMU03795 rev.1 - HPE Matrix Operating Environment, Multiple Remote Vulnerabilities
[security bulletin] HPESBMU03794 rev.1 - HPE Insight Control, Multiple Remote Vulnerabilities
[SECURITY] [DSA 4039-1] opensaml2 security update
[SECURITY] [DSA 4037-1] jackson-databind security update

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

The ISC already provides an API[2] that allows you to query our databases. The following query will return the top-100 bad IP addresses: (output has been beautified)

$ curl
<?xml version="1.0" encoding="UTF-8"?>

You can select the output format by appending a “?<format>” at the end of the URL. Supported formats are: xml, text, json, php. The different formats make the output easy to integrate into third-party application but our reader’s comment was legit. If they are standards like STIX, why not use them?

Python has a module[3] to handle STIX data. I wrote a quick script to convert the output of the "/topips/records/100" API call into a STIX 1.2 XML format:

  xmlns:xlink="" id="example:Package-05d930dd-db95-4ef0-928e-6a697a1d54e0" version="1.2">
      <stix:Indicator id="example:indicator-c0d228b3-8f67-44f9-add9-7b48936586d4" timestamp="2017-11-17T07:41:00.355151+00:00" xsi:type='indicator:IndicatorType'>
        <indicator:Title>SANS ISC Malicious IP</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7e3046bd-ea5e-4998-9520-d3ee84a8a266">
          <cybox:Object id="example:Address-9e46b000-bf82-47aa-ab40-84d088174470">
            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">

The script is available in my GitHub repository[4].

If you want to test, I'm publishing a live feed[5] (updated every 2 hours). Let me know if it's useful to you, if the STIX file is correct (read: I'm not a STIX guru) or if you need some improvements. 


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat
FreeBSD Security Advisory FreeBSD-SA-17:09.shm
FreeBSD Security Advisory FreeBSD-SA-17:08.ptrace
Call for papers - WorldCIST'18 - Naples, Italy - Extended deadline: November 26
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 4036-1] mediawiki security update
[SECURITY] [DSA 4035-1] firefox-esr security update
Internet Storm Center Infocon Status