The RSS source pulls from standard RSS and Atom feeds, and extracts artifacts from within the feed content. It does not follow links to full blog posts.

For each RSS feed, you’ll need to define a feed_type for IOC extraction. Valid feed types are:

  • messy: Only look at obfuscated URLs, assume all IPs are valid.
  • clean: Treat everything as valid C2 URL/IP.
  • afterioc Treat everything after the last occurance of the string “Indicators of Compromise” as valid C2 URL/IP.

Configuration Options

  • module (required): rss
  • feed_type (required): see above; if unsure, use messy.
  • url (required): URL to the RSS or Atom feed.

Example Configuration

Inside the sources section of your configuration file:

- name: rss-myiocfeed
  module: rss
  feed_type: messy