A simple and easy way to pull some free and open-source threat intel feeds.

Dithered Image of some Antenna Dishes - img attr - Gontran Isnard

Tool History

I wanted to share a simple tool I created. I call it the Simple Threat Intelligence Feed Puller, it is as the name suggests a simple way to pull some free and open-source threat intel feeds.

This tool originally started as a PowerShell script which I wanted to release but, I wanted it to be as “system agnostic” as possible. Foolish me wanted to write a PowerShell version and a Bash version, but it eventually struck me that a Python tool would be best if I was truly trying to reach a system agnostic tool.

This script just uses one very common external library - requests and uses a local library I made that comes with the repo. All the script really does is send GET requests to the URLs specified in threat_feeds.txt, parses the responses to grab the unique IP addresses and then spits them out into a file. Which the file can easily be used for various things.

My Usage

I use this tool is to check my network logs to see if local IP addresses have communicated with any known malicious IP addresses, and also I make a block list for both ingress and egress traffic on the edge firewall. I work mainly with Fortigates which have a very easy method of incorporating an external threat-feed which can be used as a regular address object when building policies.

Closing Thoughts

Currently this tool only pulls IPv4 addresses from some common threat feeds. Please feel free to email or DM me on Twitter if there is any questions or feedback.