Vortigaunt is a friendly way of ingesting open threat intel feeds into Elasticsearch.
I wanted to write a bit of Go, and figured this was a good exercise.
Current Vortigaunt grabs the following feeds;
"http://www.malwaredomainlist.com/hostslist/ip.txt"
"https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"
"http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_ALL.csv"
"http://multiproxy.org/txt_all/proxy.txt"
"http://cinsscore.com/list/ci-badguys.txt"
"https://lists.blocklist.de/lists/all.txt"
"https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/hash-iocs.txt"If you own one of these feeds and don't wish for it to be aggregated here, please raise an issue.
If you wish to add additional feeds, raise an issue and I'll try and add it in.
git clone https://github.com/nicpalmer/vortigaunt
cd vortigaunt
go buildVortigaunt is configured with environment variables, as a bare minimum you'll need to set, VORTIGAUNT_PORT, VORTIGAUNT_HOSTNAME and VORTIGAUNT_SCHEME
export VORTIGAUNT_PORT="9200"
export VORTIGAUNT_HOSTNAME="localhost"
export VORTIGAUNT_SCHEME="http"
export VORTIGAUNT_USERNAME="elastic"
export VORTIGAUNT_PASSWORD="changeme"
./vortigaunt allPlease don't add the scheme to the hostname value, as Vortigaunt will trip up and think the host is something like
https://http://localhost:9200I'll fix this in a PR soon.
Go is not my primary language so there's probably a ton of bugs here, please file an issue if you run into issues.
Thanks to all the people out there who contribute to Open Source, especially those who run open threat feeds.