Specifications

This data feed subscription is licensed to you or your organization only, you may not resell or relicense the data without explicit written permission from Whois API LLC. Any violation will be prosecuted to the fullest extent of the law.

There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC.

1. Malicious IPv4/IPv6 address data feeds

Filename format: tidf.%DATE%.daily.malicious-ips.[v4|v6].[csv|jsonl]
Samples:
tidf.2023-09-26.daily.malicious-ips.v4.csv, tidf.2023-09-26.daily.malicious-ips.v4.jsonl,
tidf.2023-09-26.daily.malicious-ips.v6.csv, tidf.2023-09-26.daily.malicious-ips.v6.jsonl

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
malicious-ips.v4.csv.gz	5.5MB	32MB	1,004,672
malicious-ips.v4.jsonl.gz	6.2MB	67MB	1,004,672
malicious-ips.v6.csv.gz	5.6MB	39MB	1,009,224
malicious-ips.v6.jsonl.gz	6.3MB	74MB	1,009,224

Output format

ip,threatType,firstSeen,lastSeen
203.0.113.1,malware,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678372385
......
{"ip": "203.0.113.1", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"ip": "2001:0db8:85a3::8a2e:0370:7334", "threatType":"spam", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...

Output parameters

ip	IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation.
threatType	The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen	UNIX timestamp when the activity was detected first time.
lastSeen	UNIX timestamp when the activity was detected last time.

2. Malicious domain name data feed

Filename format: tidf.%DATE%.daily.malicious-domains.[csv|jsonl]
Samples: tidf.2023-09-26.daily.malicious-domains.csv, tidf.2023-09-26.daily.malicious-domains.jsonl

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
malicious-domains.csv.gz	39MB	286MB	6,957,036
malicious-domains.jsonl.gz	42MB	558MB	6,957,036

Output format

domainName,threatType,firstSeen,lastSeen
example.com,malware,1678372385
example.org,spam,1678372385
......
{"domainName": "example.com", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"domainName": "example.org", "threatType":"spam", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...

Output parameters

domainName	IoC: domain name.
threatType	The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen	UNIX timestamp when the activity was detected first time.
lastSeen	UNIX timestamp when the activity was detected last time.

3. Malicious URL data feed

Filename format: tidf.%DATE%.daily.malicious-urls.[csv|jsonl]
Samples: tidf.2023-09-26.daily.malicious-urls.csv, tidf.2023-09-26.daily.malicious-urls.jsonl

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
malicious-urls.csv.gz	42MB	116MB	1,073,285
malicious-urls.jsonl.gz	44MB	165MB	1,073,285

Output format

url,host,threatType,firstSeen,lastSeen
"example.com/wp-admin.php?hack_me=1","example.com",malware,1678372385
"/bad_path/bad_file.php","",malware,1678372385
......
{"url": "example.com/wp-admin.php?hack_me=1", "host": "example.com", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"url": "/bad_path/bad_file.php","host": "", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...

Output parameters

url	IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding domainName field.
host	Domain name or IP for absolute URLs.
threatType	The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen	UNIX timestamp when the activity was detected first time.
lastSeen	UNIX timestamp when the activity was detected last time.

4. Malicious file hash data feed

Filename format: tidf.%DATE%.daily.malicious-file-hashes.[csv|jsonl]
Samples: tidf.2023-09-26.daily.malicious-file-hashes.csv, tidf.2023-09-26.daily.malicious-file-hashes.jsonl

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
malicious-file-hashes.csv.gz	13MB	35MB	639,141
malicious-file-hashes.jsonl.gz	13MB	64MB	639,141

Output format

hash,algo,threatType,firstSeen,lastSeen
1118d9c97f4ababe8ffcecef0946bcc8,md5,malware,1678372385
930619bc49c9836d26a3a2b75a3db93934d26fcb,sha1,malware,1678372385
......
{"hash": "1118d9c97f4ababe8ffcecef0946bcc8", "algo": "md5", "threatType":"malware", "firstSeen":"1678372385", "lastSeen":"1678372385"}
{"hash": "930619bc49c9836d26a3a2b75a3db93934d26fcb", "algo": "sha1", "threatType":"malware", "firstSeen":"1678372385", "lastSeen":"1678372385"}
...

Output parameters

hash	IoC: file's checksum. The hashing algorithm is determined by the algorithm field.
algo	The algorithm used to generate the value in the hash field: md5 or sha1.
threatType	The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen	UNIX timestamp when the activity was detected first time.
lastSeen	UNIX timestamp when the activity was detected last time.

5. Hosts files

A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.

Filename format: tidf.%DATE%.daily.hosts
Samples: tidf.2023-09-26.daily.hosts

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
hosts.gz	34MB	211MB	6,813,347

Output format

...
0.0.0.0 example.com
0.0.0.0 example.org
...

6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation

A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.

Filename format: tidf.%DATE%.daily.nginx-access.[v4|v6]
Samples: tidf.2023-09-26.daily.nginx-access.v4, tidf.2023-09-26.daily.nginx-access.v6

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
nginx-access.v4.gz	5.1MB	30MB	1,352,895
nginx-access.v6.gz	5.6MB	44MB	1,499,909

Output format

...
deny 203.0.113.1;
deny 2001:0db8:85a3::8a2e:0370:7334;
...

7. Raw IPv4/IPv6 denylists

A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Filename format: tidf.%DATE%.daily.deny-ips.[v4|v6]
Samples: tidf.2023-09-26.daily.deny-ips.v4, tidf.2023-09-26.daily.deny-ips.v6

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
deny-ips.v4.gz	3.1MB	13MB	929,017
deny-ips.v6.gz	3.4MB	19MB	933,565

Output format

...
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...

8. Raw domain denylist

A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Filename format: tidf.%DATE%.daily.deny-domains
Samples: tidf.2023-09-26.daily.deny-domains

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
deny-domains.gz	32MB	159MB	6,813,347

Output format

...
example.com
example.org
...

9. Raw CIDR denylist

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.

Filename format: tidf.%DATE%.daily.deny-cidrs.[v4|v6].gz
Samples: tidf.2023-09-26.daily.deny-cidrs.v4, tidf.2023-09-26.daily.deny-cidrs.v6,

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
deny-cidrs.v4.gz	4.6MB	23MB	1,352,895
deny-cidrs.v6.gz	5.5MB	36MB	1,499,909

Output format

...
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...

10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.

Filename format: tidf.%DATE%.daily.malicious-cidrs.[v4|v6].[csv|jsonl]
Samples:
tidf.2023-09-26.daily.malicious-cidrs.v4.csv, tidf.2023-09-26.daily.malicious-cidrs.v4.jsonl,
tidf.2023-09-26.daily.malicious-cidrs.v6.csv, tidf.2023-09-26.daily.malicious-cidrs.v6.jsonl

Average file sizes

Filename suffix	Avg. gzipped file size	Avg. unpacked file size	Records
malicious-cidrs.v4.csv.gz	9.5MB	64MB	1,853,752
malicious-cidrs.v4.jsonl.gz	11MB	133MB	1,853,752
malicious-cidrs.v6.csv.gz	11MB	83MB	2,000,874
malicious-cidrs.v6.jsonl.gz	12MB	158MB	2,000,874

Output format

cidr,threatType,firstSeen,lastSeen
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
......
{"cidr":"1.0.0.0/32","firstSeen":"1678172385","lastSeen":"1678412656","threatType":"attack"}
{"cidr":"1.0.1.21/32","firstSeen":"1678172385","lastSeen":"1678360646","threatType":"attack"}
...

Output parameters

cidr	IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation.
threatType	The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen	UNIX timestamp when the activity was detected first time.
lastSeen	UNIX timestamp when the activity was detected last time.

Downloading via HTTPS

Base path: https://threat-intelligence.whoisxmlapi.com/datafeeds
Username and password: equal to your personal API Key which you can obtain from the My Products page.
Folder: Threat_Intelligence_Data_Feeds

Downloading via FTP

Host: datafeeds.whoisxmlapi.com
Port: 21210
Username: 'user'
Password: equal to your personal API Key which you can obtain from the My Products page.
Base path: ftp://datafeeds.whoisxmlapi.com:21210
Folder: Threat_Intelligence_Data_Feeds

Downloading via FTPs

Read more about the FTPS connection: https://en.wikipedia.org/wiki/FTPS.

Our FTP server supports explicit FTP over TLS encryption. You may configure your FTP client to use explicit FTP over TLS encryption for secure communications.

Our FTPS server is accessed using the same paths and API keys as a regular FTP server, the instructions for which are described above. To connect via FTPS, select the "Require explicit FTP over TLS" encryption option in your FTP client, if it supports it. FileZilla configuration example:

WHOIS / WHOIS History

DNS / DNS History

IP Geolocation / IP Netblocks

Domain/WHOIS

DNS/IP

Intelligence

Other

Domain/WHOIS

DNS/IP

Intelligence

Other

Domain/WHOIS

DNS/IP

Intelligence

Other

Research

Monitoring

White-Label

Specifications

1. Malicious IPv4/IPv6 address data feeds

Average file sizes

Output format

Output parameters

2. Malicious domain name data feed

Average file sizes

Output format

Output parameters

3. Malicious URL data feed

Average file sizes

Output format

Output parameters

4. Malicious file hash data feed

Average file sizes

Output format

Output parameters

5. Hosts files

Average file sizes

Output format

6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation

Average file sizes

Output format

7. Raw IPv4/IPv6 denylists

Average file sizes

Output format

8. Raw domain denylist

Average file sizes

Output format

9. Raw CIDR denylist

Average file sizes

Output format

10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds

Average file sizes

Output format

Output parameters

Downloading via HTTPS

Downloading via FTP

Downloading via FTPs

Have questions?