← Back to News

Threat Intelligence Feeds

Free, machine-readable IoC block lists from 8 sources for firewalls, SIEM, and security tools

Not production-grade. These feeds are provided as-is for informational and research purposes. The data is sourced from community-reported IoCs and may contain false positives, stale entries, or errors. Do not use these feeds as your sole source of threat intelligence in a production environment without independent verification. Blocking legitimate IPs or domains due to incorrect data can disrupt services. Always test in a staging environment first, and use in combination with other vetted threat intelligence sources. The operators of this service assume no liability for any damage caused by the use of these feeds.

Sources & Feeds

IoCs are aggregated from 8 threat intelligence sources, collected every 30 minutes. Each source provides feeds broken down by type (IPs, Domains, URLs, Hashes) and risk level (High, Medium, Low).

Parameterized feeds: Each source supports granular feeds at /feeds/blocklist/source/{source}/{type}[-{risk}].txt
Examples: .../threatfox/ip.txt (all ThreatFox IPs), .../threatfox/ip-high.txt (high-risk only)

1. ThreatFox (abuse.ch · Risk 4–7)

Community-reported IoCs with confidence scoring. Produces IPs, Domains, URLs, and Hashes.

Type	All	High Risk	Medium Risk	Low Risk
IPs	`.../threatfox/ip.txt`	`.../threatfox/ip-high.txt`	`.../threatfox/ip-medium.txt`	`.../threatfox/ip-low.txt`
Domains	`.../threatfox/domains.txt`	`.../threatfox/domains-high.txt`	`.../threatfox/domains-medium.txt`	`.../threatfox/domains-low.txt`
URLs	`.../threatfox/urls.txt`	`.../threatfox/urls-high.txt`	`.../threatfox/urls-medium.txt`	`.../threatfox/urls-low.txt`
Hashes	`.../threatfox/hashes.txt`	`.../threatfox/hashes-high.txt`	`.../threatfox/hashes-medium.txt`	`.../threatfox/hashes-low.txt`

Base: /feeds/blocklist/source · Legacy: /feeds/blocklist/source/threatfox.txt (all types)

2. URLhaus (abuse.ch · Risk 4–6)

Active malware distribution URLs.

Type	All	High	Medium	Low
URLs	`.../urlhaus/urls.txt`	`.../urlhaus/urls-high.txt`	`.../urlhaus/urls-medium.txt`	`.../urlhaus/urls-low.txt`

3. Feodo Tracker (abuse.ch · Risk 8)

Confirmed botnet C2 infrastructure (Dridex, Emotet, TrickBot, QBot).

Type	All	High	Medium	Low
IPs	`.../feodo/ip.txt`	`.../feodo/ip-high.txt`	`.../feodo/ip-medium.txt`	`.../feodo/ip-low.txt`

4. MalwareBazaar (abuse.ch · Risk 6)

Recent malware sample hashes (SHA256).

Type	All	High	Medium	Low
Hashes	`.../malwarebazaar/hashes.txt`	`.../malwarebazaar/hashes-high.txt`	`.../malwarebazaar/hashes-medium.txt`	`.../malwarebazaar/hashes-low.txt`

5. IPsum (stamparm · Risk 6–7)

IPs appearing on 3+ blacklists (aggregated from ~100 lists).

Type	All	High	Medium	Low
IPs	`.../ipsum/ip.txt`	`.../ipsum/ip-high.txt`	`.../ipsum/ip-medium.txt`	`.../ipsum/ip-low.txt`

6. Blocklist.de (Risk 5)

IPs attacking SSH, FTP, mail, and web services.

Type	All	High	Medium	Low
IPs	`.../blocklist_de/ip.txt`	`.../blocklist_de/ip-high.txt`	`.../blocklist_de/ip-medium.txt`	`.../blocklist_de/ip-low.txt`

7. Spamhaus DROP (Risk 9)

Hijacked netblocks — highest confidence, widely trusted. Note: Spamhaus provides CIDR netblocks, not individual IPs.

Feed	URL
All Spamhaus IoCs	`/feeds/blocklist/source/spamhaus.txt`

8. OpenPhish (Risk 5)

Automated phishing URL detection.

Type	All	High	Medium	Low
URLs	`.../openphish/urls.txt`	`.../openphish/urls-high.txt`	`.../openphish/urls-medium.txt`	`.../openphish/urls-low.txt`

9. bitwire-it/ipblocklist (Risk 6–8)

Community-aggregated IP blocklist from 30+ public threat intel sources, updated every 2 hours. Split into two streams: inbound (reputation-based, 3.4M IPs — scanners, brute-force, spam) and outbound (C2/botnet destinations, 190k IPs — higher value). Licensed CC BY-NC-SA 4.0 via github.com/bitwire-it/ipblocklist. We import up to 5,000 IPs per stream per day for display.

Type	All	High	Medium	Low
Inbound IPs	`.../bitwire_inbound/ip.txt`	`.../bitwire_inbound/ip-high.txt`	`.../bitwire_inbound/ip-medium.txt`	`.../bitwire_inbound/ip-low.txt`
Outbound IPs (C2)	`.../bitwire_outbound/ip.txt`	`.../bitwire_outbound/ip-high.txt`	`.../bitwire_outbound/ip-medium.txt`	`.../bitwire_outbound/ip-low.txt`

Combined Feeds

All sources merged into one feed per indicator type, with optional risk-level filtering.

Type	All	High Risk (≥7)	Medium (4–6)	Low (1–3)
IPs	`/feeds/blocklist/ip.txt`	`/feeds/blocklist/ip-high.txt`	`/feeds/blocklist/ip-medium.txt`	`/feeds/blocklist/ip-low.txt`
Domains	`/feeds/blocklist/domains.txt`	`/feeds/blocklist/domains-high.txt`	`/feeds/blocklist/domains-medium.txt`	`/feeds/blocklist/domains-low.txt`
URLs	`/feeds/blocklist/urls.txt`	`/feeds/blocklist/urls-high.txt`	`/feeds/blocklist/urls-medium.txt`	`/feeds/blocklist/urls-low.txt`
Hashes	`/feeds/blocklist/hashes.txt`	`/feeds/blocklist/hashes-high.txt`	`/feeds/blocklist/hashes-medium.txt`	`/feeds/blocklist/hashes-low.txt`

By Risk Level

Feeds filtered by computed risk score, available for all indicator types. Use high-risk for strict blocking, medium for monitoring, and low for research.

Risk Scoring

Each IoC is assigned a risk score (1–9) based on the source reliability and indicator confidence:

Source	Score	Rationale
Spamhaus DROP/EDROP	9	Curated hijacked netblocks, extremely reliable
Feodo Tracker	8	Confirmed botnet C2 infrastructure
ThreatFox (confidence ≥75)	7	High-confidence community reports
IPsum (score ≥5)	7	Appears on 5+ independent blacklists
URLhaus (online)	6	Actively serving malware
MalwareBazaar	6	Recent malware samples
IPsum (score 3–4)	6	Moderate blacklist coverage
Blocklist.de	5	Brute-force attacks; may include VPNs/proxies
OpenPhish	5	Automated phishing detection
ThreatFox (confidence <75)	4	Lower-confidence community reports
URLhaus (offline)	4	Previously active, now offline

Iceland Network Flagging

IoCs are automatically checked against Icelandic IP ranges from RIX.is (~300 IPv4 CIDR blocks, 64 AS numbers). This provides situational awareness for Icelandic organizations.

IP matching — Individual IPs from any source are checked against all Icelandic CIDR blocks
CIDR overlap — Spamhaus DROP/EDROP netblocks are checked for overlap with Icelandic ranges
Iceland threats feed — /feeds/blocklist/iceland-threats.txt returns all flagged IoCs
API endpoint — /api/threat-intel/iceland returns flagged IoCs with full context

Note: This is for situational awareness, not blocking. An Icelandic IP appearing on a blocklist could be a compromised server, not a malicious actor. Always investigate before taking action.

How the Feeds Are Generated

8 Sources → Collector (every 30 min) → SQLite + Risk Scoring → Feed Endpoints → Your Firewall

Collection — Every 30 minutes, a scheduled job fetches IoCs from all 8 sources in parallel. Most sources require no API key.
Risk scoring — Each IoC receives a risk score (1–9) based on source reliability and indicator confidence. IPs are checked against Icelandic IP ranges.
Storage — IoCs are stored in SQLite with deduplication (unique on type + value). Each record stores type, value, threat type, source, risk score, confidence, and timestamps.
Feed generation — Feed endpoints query the database with appropriate filters. Results are cached for 5 minutes. For IP feeds, port numbers are stripped from ip:port pairs.
Delivery — Plain text response with a comment header followed by one indicator per line. The X-Feed-Count header contains the entry count.

Freshness: IoCs older than 30 days are automatically purged. Feeds serve the last 7 days. Cache-Control is set to 30 minutes.

Response Format

# Threat Intelligence Block List # Source: news.1881.is - Multi-Source IoC Feed # Updated: 2026-02-06T18:45:02Z # Type: ip # Entries: 1247 80.79.6.185 45.55.159.168 103.56.149.21 ...

HTTP Headers:

Content-Type: text/plain; charset=utf-8
Cache-Control: public, max-age=1800 (30 minutes)
X-Feed-Count: N (number of entries, excluding comment lines)

Bulk Counts API

Get all feed counts in a single request (useful for dashboards):

GET /api/threat-intel/feed-counts?days=7 { "sources": { "threatfox": { "ip": {"high": 45, "medium": 120, "low": 3}, "domain": {"high": 12, "medium": 30, "low": 0}, "url": {"high": 8, "medium": 15, "low": 2}, "hash": {"high": 0, "medium": 5, "low": 0} }, ... }, "combined": {"ip": {...}, "domain": {...}, "url": {...}, "hash": {...}}, "risk": {"high": N, "medium": N, "low": N} }

Device Compatibility

Our feeds use plain text format (one IoC per line, # comment header) which is compatible with most security devices out of the box:

Device / Tool	IP	Domain	URL	Hash	Notes
FortiGate	✓	✓	✓	✓	External Threat Feed; up to 131K entries; separate feed per type
Palo Alto	✓	✓	✓	—	External Dynamic List (EDL); 50K–150K entries; no hash support
Cisco Firepower	✓	—	✓	—	Security Intelligence feeds; IP/CIDR only for network objects
Sophos XG/XGS	✓	✓	✓	—	v21+; `#` comments supported
pfSense	✓	—	—	—	pfBlockerNG; URL Table (IPs); CIDR supported
OPNsense	✓	—	—	—	URL Table alias; IP/CIDR/ranges supported
MikroTik	✓	—	—	—	Import into `/ip firewall address-list`
CrowdSec	✓	—	—	—	Plain text IP lists; use `cscli decisions add`
Snort	✓	—	—	—	IP reputation lists (`.blf` extension); CIDR supported
Suricata	✓*	—	—	—	*Requires CSV conversion (`ip,category,score`); see example below
Splunk ES	✓*	✓*	✓*	✓*	*Prefers CSV with headers or STIX 2.0/2.1 format

Format: All feeds serve text/plain with # comment headers and one indicator per line. This is the de facto standard for threat intelligence feeds and works with most devices. Suricata and Splunk ES require format conversion — see integration examples below.

Integration Examples

FortiGate (External Threat Feed)

# IP blocklist config system external-resource edit "ThreatIntel-HighRisk-IPs" set type address set resource "https://news.1881.is/feeds/blocklist/ip-high.txt" set refresh-rate 30 next end # Domain blocklist config system external-resource edit "ThreatIntel-Domains" set type domain set resource "https://news.1881.is/feeds/blocklist/domains-high.txt" set refresh-rate 30 next end # Malware hash feed (FortiGate supports MD5/SHA256) config system external-resource edit "ThreatIntel-Hashes" set type malware set resource "https://news.1881.is/feeds/blocklist/hashes-high.txt" set refresh-rate 30 next end

Palo Alto Networks (External Dynamic List)

# Objects > External Dynamic Lists > Add Name: ThreatIntel-HighRisk-IPs Type: IP List Source: https://news.1881.is/feeds/blocklist/ip-high.txt Repeat: Hourly # Note: Palo Alto EDLs support IP, Domain, and URL lists # but do NOT support hash lists

pfSense / OPNsense

# Firewall > Aliases > Add Name: ThreatIntel_BruteForce Type: URL Table (IPs) URL: https://news.1881.is/feeds/blocklist/brute-force-ips.txt Update Freq: 1 (days)

CrowdSec

# Import high-risk IPs into CrowdSec: curl -s https://news.1881.is/feeds/blocklist/ip-high.txt \ | grep -v '^#' \ | while read ip; do cscli decisions add --ip "$ip" --reason "Threat Feed (high risk)" --duration 168h done

Suricata (IP Reputation)

# Download the feed: curl -s https://news.1881.is/feeds/blocklist/ip.txt | grep -v '^#' > /etc/suricata/rules/threatfeed-ips.list # suricata.yaml: reputation-categories-file: /etc/suricata/iprep/categories.txt default-reputation-path: /etc/suricata/iprep reputation-files: - threatfeed-ips.list

Sophos XG/XGS

# System Services > Dynamic threat feeds > Add Name: ThreatIntel-IPs Type: IP List (IPv4/IPv6) URL: https://news.1881.is/feeds/blocklist/ip-high.txt Polling interval: 60 minutes

MikroTik

# Scheduled script to import IP blocklist: /tool fetch url="https://news.1881.is/feeds/blocklist/ip-high.txt" dst-path=threatfeed.txt :delay 2s /ip firewall address-list remove [find list=threatfeed] :foreach line in=[/file get threatfeed.txt contents] do={ :if ([:pick $line 0 1] != "#") do={ /ip firewall address-list add list=threatfeed address=$line timeout=1d } }

Snort (IP Reputation)

# Download as blacklist file (.blf): curl -s https://news.1881.is/feeds/blocklist/ip-high.txt \ | grep -v '^#' > /etc/snort/rules/black_list.blf # snort.conf: preprocessor reputation: \ blacklist /etc/snort/rules/black_list.blf

Splunk Enterprise Security

# Convert plain text feed to Splunk CSV format: echo "ip,description,weight" > /tmp/threatfeed.csv curl -s https://news.1881.is/feeds/blocklist/ip-high.txt \ | grep -v '^#' \ | awk '{print $1",High-Risk Threat Feed,100"}' >> /tmp/threatfeed.csv # Upload via: Configure > Data Enrichment > # Threat Intelligence > Upload (CSV format)

Python

import requests # Load high-risk IPs for blocking resp = requests.get("https://news.1881.is/feeds/blocklist/ip-high.txt") ips = [line for line in resp.text.splitlines() if line and not line.startswith("#")] print(f"Loaded {len(ips)} high-risk IPs") # Load Spamhaus DROP netblocks resp = requests.get("https://news.1881.is/feeds/blocklist/drop-nets.txt") cidrs = [line for line in resp.text.splitlines() if line and not line.startswith("#")] print(f"Loaded {len(cidrs)} DROP netblocks")

Terms of Use

These feeds are provided free of charge for both personal and commercial use.
Data originates from multiple open-source threat intelligence providers under their respective terms of use.
This is not a production-grade service. The data is community-sourced and may contain false positives, stale indicators, or errors. Use at your own risk.
False positives can cause outages. Blocking a legitimate IP or domain can disrupt services. Always validate IoCs before deploying to production firewalls.
Recommended approach: start with the high-risk feed in monitor/log mode, review alerts, then move to blocking once you trust the data for your environment.
No guarantee of completeness, accuracy, or availability. The operators assume no liability for any damage caused by the use of these feeds.
Please don't poll more frequently than every 30 minutes — the data doesn't change faster than that.
Questions? Contact admin@1881.is.

← Back to News