GitPedia

Zeek Intelligence Feeds

Zeek-Formatted Threat Intelligence Feeds

From CriticalPathSecurity·Updated June 25, 2026·View on GitHub·

This is a public feed based on Public Threat Feeds and CRITICAL PATH SECURITY gathered data. This feed will be updated as often as possible. The project is written primarily in Zeek, distributed under the MIT License license, first published in 2020. Key topics include: malware, phishing, threat-intelligence, threatintel, zeek.

<h1 align="center">

Critical Path Security Logo

</h1>

Zeek Intel Threat Feed w/ Combined Indicators

This is a public feed based on Public Threat Feeds and CRITICAL PATH SECURITY gathered data.
This feed will be updated as often as possible.

Getting Started

These instructions will get you a copy of the project up and running.

Dependencies

  • ZEEK 3.0 or greater

Installing

Install Zeek Dependencies


sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Clone the repository into /opt

cd /opt
git clone --recursive https://github.com/zeek/zeek
./configure && make && sudo make install

Install Zeek


./configure && make && sudo make install

Install the Threat Intelligence Feeds

Clone the repository into /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds

cd /opt
git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds
echo "@load Zeek-Intelligence-Feeds" >> /usr/local/zeek/share/zeek/site/local.zeek

Usage

Navigate to /usr/local/zeek/bin/

./zeekctl deploy

Scheduling Updates

A simple bash script can be used for updates. An example is shown below.

vi /opt/zeek_update.sh

Add the following:

#!/bin/sh
cd /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds && git fetch origin master
git reset --hard FETCH_HEAD
git clean -df

Make the script executable.

chmod +x /opt/zeek_update.sh

Make the following cron entry for 24 hour updates.

5 * * * * sh /opt/zeek_update.sh >/dev/null 2>&1

Logs will be written to:

/usr/local/zeek/logs/current/intel.log

Sources:

FilenameProviderHomepageList URLLicense/TOU
Amnesty_NSO_Domains.intelAmnesty NSO Domainshttps://github.com/AmnestyTech/investigationshttps://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nsoNot Defined
abuse-ch-ipblocklist.intelAbuse.CH Blacklisthttps://sslbl.abuse.ch/blacklist/https://sslbl.abuse.ch/blacklist/https://sslbl.abuse.ch/blacklist/
abuse-ch-malware.intelAbuse.CH Malwarehttps://bazaar.abuse.ch/https://bazaar.abuse.ch/https://bazaar.abuse.ch/
abuse-ch-threatfox-ip.intelAbuse.CH ThreatFoxhttps://threatfox.abuse.ch/https://threatfox.abuse.ch/https://threatfox.abuse.ch/
abuse-ch-urlhaus.intelAbuse.CH URLHaushttps://urlhaus.abuse.ch/https://urlhaus.abuse.ch/https://urlhaus.abuse.ch/
alienvault.intelAlienVaulthttps://www.alienvault.com/http://reputation.alienvault.com/reputation.datahttps://otx.alienvault.com/
binarydefense.intelBinary Defensehttps://www.binarydefense.com/https://www.binarydefense.com/banlist.txthttps://www.binarydefense.com/
censys.intelCensyshttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
cobaltstrike_ips.intelCobaltStrike IPhttps://threatview.io/https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txthttps://threatview.io/
compromised-ips.intelEmerging Threatshttps://rules.emergingthreats.net/https://rules.emergingthreats.net/blockrules/compromised-ips.txthttps://rules.emergingthreats.net/OPEN_download_instructions.html
cps-collected-iocs.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
cps_cobaltstrike_domain.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
cps_cobaltstrike_ip.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
ellio.intelEllio Techhttps://www.ellio.techhttps://www.ellio.techhttps://www.ellio.tech
fangxiao.intelCyjaxhttps://www.cyjax.com/https://www.cyjax.com/app/uploads/2022/11/fangxiao-a-chinese-threat-actor.txthttps://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/
filetransferportals.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
illuminate.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
inversion.intelGoogle / Inversionhttps://github.com/elliotwutingfeng/Inversion-DNSBL-BlocklistsGithubhttps://github.com/elliotwutingfeng/Inversion-DNSBL-Blocklists/blob/main/LICENSE
lockbit_ip.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
log4j_ip.intelMultiple Sourceshttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
openphish.intelOpenPhishhttps://openphish.comhttps://openphish.com/feed.txthttps://openphish.com/terms.html
predict_intel.intelGeorgia Tech Research Institute (GTRI)https://www.gatech.edu/https://www.gatech.edu/https://www.gatech.edu/
ragnar.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
sans.intelSANShttps://isc.sans.edu/https://isc.sans.edu/api/intelfeedhttps://isc.sans.edu/data/threatfeed.html
scumbots.intelScumBotsNoneNonePermission given by Paul Melson - Free Usage
stalkerware.intelCritical Path Securityhttps://www.criticalpathsecurity.com/Githubhttps://www.criticalpathsecurity.com/
tor-exit.intelTor Projecthttps://www.torproject.org/https://check.torproject.org/exit-addresseshttps://www.torproject.org/
Thu Jun 25 15:04:40 UTC 2026

Contributors

Showing top 1 contributor by commit count.

CPS-Erin

CPS-Erin

103 commits

View all contributors on GitHub →

This article is auto-generated from CriticalPathSecurity/Zeek-Intelligence-Feeds via the GitHub API.Last fetched: 6/25/2026