Red Sky Alliance: Botnet & Sinkhole Indicators (IoC’s)
Malicious Botnet and Sinkhole IP addresses and domains
Description:
Red Sky Alliance can identify possible malware installations using either our botnet tracker collection or our sinkhole traffic collection. In many cases, it can also identify the malware protocol resulting in high confidence hits. This threat intelligence includes source IP addresses, destination IP addresses, domains, or URLs.
Fields Include:
Botnet Tracker table:
- Indicator – bot source ip
- Indicator_type – ipv4addr
- Indicator_context – either botnet_ip, proxy_ip, or sinkholed_ip
- C2 – endpoint that source IP connected to. either an ip, domain, or url
- First_seen – when indicator first observed
- Last_seen – when indicator last observed
- Reference – available reference for the botnet record, if not specified in the attribution field
- ASN – autonomous system number for indicator
- Attribution – malware attribution known
- Country – two character country code
- Region – region name geolocated from indicator
- City – city name geolocated from indicator
- Postal_code – postal code geolocated from indicator
- Area_code – area code geolocated from indicator
- Location – latitude longitude coordinates
- Etl_data – date data was exported
Sinkhole traffic table:
- Area_code – area code geolocated from indicator
- Attribution – provides malware attribution or actor attribution for sinkhole
- City – city name geolocated from indicator
- Count_rec – observation count for given IP (indicator)
- Country – two character country code geolocated from indicator
- Cs_asn – refer to W3C logging specifications
- Cs_bytes – refer to W3C logging specifications
- Cs_cookie – refer to W3C logging specifications
- Cs_host – refer to W3C logging specifications
- Cs_referrer – refer to W3C logging specifications
- Cs_ua – refer to W3C logging specifications
- Cs_username – refer to W3C logging specifications
- Cs_version – refer to W3C logging specifications
- Domain_cat – general site categorization of indicator
- Etl_date – date data was exported, transformed or loaded(ETL)
- Indicator – IP address checking into sinkhole: client-server IP (cs-ip as defined by W3C loggin)
- Indicator_context – always sinkhole_ip
- Indicator_type – always ipv4addr
- Location – latitude longitude coordinates
- Postal_code – postal code geolocated from indicator
- Raw_data_file – raw logfile containing sinkhole traffic
- Region – region name geolocated from indicator
- Sc_bytes – refer to W3C logging specifications
- Sc_status – refer to W3C logging specifications
Update Frequency:
Monthly
About the Provider:
Get access to the Red Sky Alliance: Botnet & Sinkhole Indicators (IoC’s) Dataset in Snowflake
Already a Snowflake customer?
Access this dataset directly from your Snowflake account*