Merge pull request #303 from HiS3/add_shadowserver_list

adulau · web-flow · commit 4df816bd8a3e · 2025-08-27T06:26:38.000+02:00
add new list: List of Shadowserver IP-Ranges.
diff --git a/README.md b/README.md
@@ -79,6 +79,7 @@ are reused in many other open source projects.
 - [rfc6598/list.json](./lists/rfc6598/list.json) - **List of RFC 6598 CIDR blocks** - _Event contains one or more entries part of the Shared Address Space CIDR blocks (RFC 6598)_
 - [rfc6761/list.json](./lists/rfc6761/list.json) - **List of RFC 6761 Special-Use Domain Names** - _Event contains one or more entries part of the Special-Use Domain Names (RFC 6761)_
 - [second-level-tlds/list.json](./lists/second-level-tlds/list.json) - **Second level TLDs as known by Mozilla Foundation** - _Event contains one or more second level TLDs as attribute with an IDS flag set._
+- [shadowserver/list.json](./shadowserver/list.json) - **List of Shadowserver IP-Ranges. Potentially associated with Shadowserver scans.**  - Event contains public IPv4 and IPv6 addresses belonging to AS22168 - The Shadowserver Foundation, Inc.
 - [security-provider-blogpost/list.json](./lists/security-provider-blogpost/list.json) - **List of known security providers/vendors blog domain** - _Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set_
 - [sinkholes/list.json](./lists/sinkholes/list.json) - **List of known sinkholes** - _List of known sinkholes_
 - [smtp-receiving-ips/list.json](./lists/smtp-receiving-ips/list.json) - **List of known SMTP receiving IP addresses** - _List of IP addresses for known SMTP servers._
diff --git a/lists/shadowserver/list.json b/lists/shadowserver/list.json
@@ -0,0 +1,42 @@
+{
+  "description": "List of Shadowserver IP-Ranges. Potentially associated with Shadowserver scans. based on [https://bgp.he.net/search?search%5Bsearch%5D=shadowserver&commit=Search]",
+  "list": [
+    "108.165.44.0/24",
+    "146.19.20.0/24",
+    "154.16.223.0/24",
+    "154.16.230.0/24",
+    "154.16.240.0/24",
+    "154.16.250.0/24",
+    "154.9.2.0/23",
+    "162.249.64.0/21",
+    "166.0.195.0/24",
+    "179.61.168.0/24",
+    "181.214.234.0/24",
+    "181.214.245.0/24",
+    "181.214.62.0/24",
+    "181.214.90.0/24",
+    "181.215.138.0/24",
+    "181.215.145.0/24",
+    "181.215.208.0/24",
+    "181.41.192.0/24",
+    "185.181.1.0/24",
+    "185.91.204.0/24",
+    "191.101.103.0/24",
+    "191.96.127.0/24",
+    "191.96.20.0/24",
+    "191.96.22.0/24",
+    "2001:550:d0c::/48",
+    "45.143.160.0/24",
+    "50.114.88.0/24"
+  ],
+  "matching_attributes": [
+    "ip-src",
+    "ip-dst",
+    "domain|ip",
+    "ip-dst|port",
+    "ip-src|port"
+  ],
+  "name": "Shadowserver IP-Ranges, pot. used for Scanning",
+  "type": "cidr",
+  "version": 1
+}
