Red Sky Alliance: Botnet & Sinkhole Indicators (IoC’s)

Malicious Botnet and Sinkhole IP addresses and domains

Description:

Red Sky Alliance can identify possible malware installations using either our botnet tracker collection or our sinkhole traffic collection. In many cases, it can also identify the malware protocol resulting in high confidence hits. This threat intelligence includes source IP addresses, destination IP addresses, domains, or URLs.

Fields Include:

Botnet Tracker table:

  • Indicator – bot source ip
  • Indicator_type – ipv4addr
  • Indicator_context – either botnet_ip, proxy_ip, or sinkholed_ip
  • C2 – endpoint that source IP connected to. either an ip, domain, or url
  • First_seen – when indicator first observed
  • Last_seen – when indicator last observed
  • Reference – available reference for the botnet record, if not specified in the attribution field
  • ASN – autonomous system number for indicator
  • Attribution – malware attribution known
  • Country – two character country code
  • Region – region name geolocated from indicator
  • City – city name geolocated from indicator
  • Postal_code – postal code geolocated from indicator
  • Area_code – area code geolocated from indicator
  • Location – latitude longitude coordinates
  • Etl_data – date data was exported

Sinkhole traffic table:

  • Area_code – area code geolocated from indicator
  • Attribution – provides malware attribution or actor attribution for sinkhole
  • City – city name geolocated from indicator
  • Count_rec – observation count for given IP (indicator)
  • Country – two character country code geolocated from indicator
  • Cs_asn – refer to W3C logging specifications
  • Cs_bytes – refer to W3C logging specifications
  • Cs_cookie – refer to W3C logging specifications
  • Cs_host – refer to W3C logging specifications
  • Cs_referrer – refer to W3C logging specifications
  • Cs_ua – refer to W3C logging specifications
  • Cs_username – refer to W3C logging specifications
  • Cs_version – refer to W3C logging specifications
  • Domain_cat – general site categorization of indicator
  • Etl_date – date data was exported, transformed or loaded(ETL)
  • Indicator – IP address checking into sinkhole: client-server IP (cs-ip as defined by W3C loggin)
  • Indicator_context – always sinkhole_ip
  • Indicator_type – always ipv4addr
  • Location – latitude longitude coordinates
  • Postal_code – postal code geolocated from indicator
  • Raw_data_file – raw logfile containing sinkhole traffic
  • Region – region name geolocated from indicator
  • Sc_bytes – refer to W3C logging specifications
  • Sc_status – refer to W3C logging specifications

Update Frequency:

Monthly

About the Provider:

Red Sky Alliance is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting. We deliver insightful, actionable cyber threat intelligence in formats best suited to your strategic, operational, and tactical needs.

Visit the provider’s website for more information

*The Data Marketplace is not yet available in GCP.

Get access to the Red Sky Alliance: Botnet & Sinkhole Indicators (IoC’s) Dataset in Snowflake

Sign up for a free trial

Already a Snowflake customer?
Access this dataset directly from your Snowflake account*