Lists, sometimes referred to as feeds, are collection of Entries, that are later reduced to indicators in list downloads. Lists can be given all types of designations such as "Allow List", "Block List", "Attack Source", etc... however the designation does not change how the list is processed. Designations simply help give guidance in how the list should be used.
On a regular basis, all indicators within the list's entries are extracted, uniqued, and the resulting set of indicators is made available for download via the API and the list's information page.
Viewed by unauthenticated and authenticated uesrs, all indicators contained in entries are included in indicator searches.
Viewed only by owner and any explicitedly granted users. Entries and indicators are not included in search results and are not counted in any metrics.
Entries aim to simplify providing context to indicators when they're added or removed from a list.
Special control characters allow user's to define how ioclists interprets the string of text provided as the entry. Hashes and defanged (replace . with [.]) URLs, IPs, and domains are processed as indicators. Leading carets (^) designate evidence, # designate tags, fanged URLs are references, and -- are for comments. ! prepended to a defanged indicator will remove it from the indicator download list.
http://buithiyennhi[.]com:80/smt/loki/fre.php ^8e3951897bf8371e6010e3254b99e86d #lokibot https://www.virustotal.com/en/file/110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa/analysis/ -- C2 for lokibotThis entry is processed from left to right, splitting the entire line on spaces to form words.
http://buithiyennhi[.]com:80/smt/loki/fre.phpThe [.] defang control character(s) defines this as word as an indicator
^8e3951897bf8371e6010e3254b99e86dThe ^ before this hash defines it as supporting evidence on the conviction. This meant to be the hash of a sample, PCAP, or HAR that helps strengthen the conviction
#lokibotThe # indicates this word is meant to be a tag which can be used to signify themes of this indicator such as attack, group, type of malware, etc...
https://www.virustotal.com/en/file/110d6ae802d229a8105f3185525b5ce2cf9e151f2462bf407db6e832ccac56fa/analysis/This URL is not defanged and thus it is treated as a reference, which can provide more detail about the indicator such an analyzer result or investigations report
-- C2 for lokibotThe -- indicates the rest of the entry is a comment. This is a short (less than 120 characters) note about the entry. Anything following the --, included defanged indicators will be treated as a comment
Indicators are IPv4, IPv6, FQDN, URLs, MD5, SHA1, and SHA256 that are included in lists and meant to be used.
ioclists standardizes the format of all indicators we ingest. For instance, all hashes are lower cased, while all URLs follow Google Safebrowsing rules for canonicalization. This means that there may be slightly different indicators in your list download then what was included in an entry.
API endpoints and parameters are detailed in the API's Swagger documentation. Your API key is provided on your account setting page. Calls to the API require the key to be set in the X-API-KEY HTTP header.
ioclists will not sell our user's data, nor will we grant access to data about our users to outside parties. We store the absolute bare minimum to perform our service.
ioclists allows our users to host data on our service and users are encouraged to define how others may use that data. For more information about our terms and conditions, please contact support@ioclists.com
For any concerns related to the content stored on our platform for our users, please contact us at support@ioclists.com