The data

IOCs provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity.
The information contains network info (IPs), file hashes, file paths, domain names, URLs.


All the data is gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.


MISP is used as a back-end for storing the threat information. The information is added to MISP via ioc-parser, extracted from MISP with PyMISP and formatted with a set of custom Python scripts.
The JSON feed generated from MISP is available via /data/feed-osint.

It is free!

The data that is free (obviously, the source of the data is also free). You have to use the data at your own risk. This project only makes the data easy accessible. It is up to you to decide where and how you want to use it.


The datasets are always available in two formats

  • ioclist.<TYPE>
  • ioclist.<TYPE>.md5
  • ioclist.<TYPE>.raw
  • ioclist.<TYPE>.raw.md5

The content of both datasets is identical. The .raw contains the data without comment. These datasets can be used if you want to automate inclusion in your detection systems.

All the datasets are stored in the folder /data/. For example the network IOC with possible malicious destination IPs is available via

A JSON feed provided from the data in MISP is available via /data/feed-osint.

Note that current datasets in /data/ are still limited and part of PoC. Expect more useful data once the whole process has been tuned.

The directory /data/ has been set to allow 'directory listing' so it's easier for you to check which IOC files are available.

Dataset types

These datasets are available :

Network IOCs

  • ioclist.ip-dst
  • ioclist.domain
  • ioclist.url

File details

  • ioclist.filename
  • ioclist.md5
  • ioclist.sha1
  • ioclist.sha256

Other IOCs

  • ioclist.regkey



The datasets are updated regularly whenever new APT writeups or descriptions of exploit campaigns become available. Do take into account that this remains a volunteer project.


IOC email-src

IOC email-src

Use these IOCs on your e-mail relay.
IOC ip-dst

IOC ip-dst

Detect possible outbound malicious activity.
IOC sha1

IOC sha1

File hashes that can be used when doing incident response.
IOC domain

IOC domain - raw

Domainlist in a raw format.

Frequently Asked Questions

Where is the data?

All the data files are in /data/

Block lists are outdated!

Yes. But not entirely.
We do not recommend you to install the different IOCs in your intrusion prevention systems 'as such'. We strongly advise you to use the IOCs for detecting possible malicious behavior. Use the IOCs to raise an alert and then conduct a proper investigation. Consider this data as an extra set of data that you can use to monitor the quality of your network and services.

Note that you should not only focus on network IOCs.

The network IOCs are outdated!

Yes. But not entirely ;-)
The data originates from public reports. Because the reports are public it is very likely that they have been cleaned. Some of the IPs however are used for different types of malicious activity so using them in your detection system still makes sense.

What should I do with the file hashes?

The file hashes are useful when you conduct an incident response investigation. Ideally you combine them with Yara rules.

I want direct access to the MISP instance!

Well you can't. Not yet. I run my MISP setup on a private, internal, network. This is not because I do not trust the public access controls build into MISP but because it reduces the effort I have to put into running (monitoring) the system.

Why did you not use the MISP export feature?

MISP allows export in different formats (XML, IDS-Snort, CSV). The export comes close to what I had in mind but I wanted to add some comments and be able to remove some redundant data. As such I use PyMISP to extract the data and write the output into different text files.
Very soon I'll make the MISP default export formats also available in the data folder.

I need a MISP JSON feed!

The MISP JSON feed, generated via feed-generator, is available under /data/feed-osint.

Remove my <X> from the list!

All the indicators in our data set are sourced from public reports. This means that your 'X' was once part of some 'malicious' campaign. The internet isn't static so it's possible that your 'X' is now cleaned and should no longer be flagged as something malicious. If this is the case then please send an e-mail with a justification why your 'X' is now clean and should no longer be on the list.

What are the terms of use?

You can use this data the way you prefer but all use of the data is at your own risk.

What does botvrij mean?

botvrij is a dutch word. Vrij means free. It means 'free of bots'.