SIEM Integrations
Ingest vspam.org threat intelligence into your SIEM for real-time correlation and alerting. All feeds update every 15 minutes.
Available Feed Formats
TAXII 2.1
/taxii2/No auth (rate-limited)STIX 2.1
/api/v1/feeds/stixAPI key requiredJSON
/api/v1/feeds/jsonAPI key requiredCSV
/api/v1/feeds/csvAPI key requiredPlain Text
/api/v1/feeds/txtAPI key requiredMISP
/api/v1/feeds/mispAPI key requiredSplunk
Use the Splunk TAXII 2.1 add-on or scheduled scripted input to ingest vspam.org feeds.
- Install the Splunk Add-on for TAXII 2 from Splunkbase
- Configure a new TAXII 2 input pointing to the vspam.org TAXII server
- Map STIX indicator objects to your threat intel index
# Option A: TAXII 2.1 Add-on (recommended)
# In Splunk Web → Settings → Data Inputs → TAXII 2 Client
# Discovery URL: https://api.vspam.org/taxii2/
# Collection: confirmed-iocs
# Polling interval: 900 (15 minutes)
# Option B: Scripted input with CSV feed
# /opt/splunk/etc/apps/vspam/bin/fetch_feed.sh
#!/bin/bash
curl -sH "X-API-Key: <KEY>" \
https://api.vspam.org/api/v1/feeds/csv \
| /opt/splunk/bin/splunk add oneshot \
-source vspam -sourcetype csv \
-index threat_intelElastic Security
Ingest vspam.org threat indicators via the Elastic Threat Intel Filebeat module or custom Logstash pipeline.
- Enable the Threat Intel module in Filebeat or use Logstash HTTP poller
- Configure the TAXII 2.1 or JSON feed endpoint
- Enrich events using indicator match rules in Elastic Security
# filebeat.yml — Threat Intel module (TAXII 2.1)
filebeat.modules:
- module: threatintel
anomali:
enabled: false
abuseurl:
enabled: false
custom:
enabled: true
var.url: "https://api.vspam.org/taxii2/collections/confirmed-iocs/objects"
var.interval: 15m
var.headers:
Accept: "application/taxii+json;version=2.1"
# Alternative: Logstash HTTP poller for JSON feed
input {
http_poller {
urls => {
vspam => {
url => "https://api.vspam.org/api/v1/feeds/json"
headers => { "X-API-Key" => "<KEY>" }
}
}
schedule => { every => "15m" }
codec => "json"
}
}
output {
elasticsearch {
index => "threat-intel-vspam"
}
}Wazuh
Add vspam.org as a threat intelligence source in Wazuh using CDB lists or custom integrations.
- Download the CSV or plain-text feed via cron job
- Convert to Wazuh CDB list format
- Reference the CDB list in Wazuh rules for real-time alerting
# /etc/wazuh/scripts/update-vspam-cdb.sh
#!/bin/bash
# Download IP blocklist and convert to CDB format
curl -sH "X-API-Key: <KEY>" \
https://api.vspam.org/api/v1/feeds/txt \
| awk '{print $1":"}' > /var/ossec/etc/lists/vspam-iocs
# Reload Wazuh manager
/var/ossec/bin/wazuh-control reload
# --- ossec.conf rule reference ---
# <rule id="100200" level="10">
# <if_sid>5710</if_sid>
# <list field="srcip" lookup="address_match_key">
# etc/lists/vspam-iocs
# </list>
# <description>Connection from vspam.org listed IP</description>
# </rule>
# Cron: run every 15 minutes
# */15 * * * * /etc/wazuh/scripts/update-vspam-cdb.shIBM QRadar
Use QRadar's reference set API or TAXII connector to ingest vspam.org indicators.
- Create a reference set for vspam.org IOCs in QRadar
- Schedule a script to populate the reference set from the CSV feed
- Create custom rules that trigger on reference set matches
# Populate QRadar reference set from vspam.org CSV feed
#!/bin/bash
QRADAR="https://qradar.internal/api"
TOKEN="<QRADAR_TOKEN>"
REF_SET="vspam_malicious_ips"
# Download IOCs
curl -sH "X-API-Key: <VSPAM_KEY>" \
https://api.vspam.org/api/v1/feeds/csv \
| tail -n +2 | cut -d',' -f2 | grep -E '^[0-9]' \
| while read ip; do
curl -sk -X POST "$QRADAR/reference_data/sets/$REF_SET" \
-H "SEC: $TOKEN" \
-d "value=$ip"
done
# Schedule: */15 * * * * /opt/scripts/vspam-qradar-sync.shFor threat intelligence platform ingestion (OpenCTI, MISP, Cortex XSOAR), see the Threat Intel Platforms guide. Full API reference at API Documentation.