misp-warninglist

misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.

Warning lists are integrated into MISP to display an informational or warning box at both the event and attribute levels whenever matching indicators are found in one of the lists.

These lists are also used at the API level to help filter potential false positives. In MISP, warning lists can be enabled or disabled globally, depending on an organization’s practices. They are also reused by many other open-source projects.

There is also a standalone software project called misp-feedback, which is designed to use warning lists, expose an API for other services, and provide a command-line interface.

lists

• akamai/list.json - List of known Akamai IP ranges - Akamai IP ranges from BGP search
• alexa/list.json - Top 1000 website from Alexa - Event contains one or more entries from the top 1000 of the most used website (Alexa).
• alphastrike-research-nt-scanning/list.json - Alphastrike research IP Ranges Used for Scanning - List containing IP’s associated with the Alphastrike research scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• alphastrike-scanning/list.json - Alpha Strike Labs IP Ranges Used for Scanning - List containing IP ranges associated with Alpha Strike Labs scanning infrastructure. Alpha Strike Labs GmbH (AS208843) operates legitimate security research and internet-wide scanning services [https://ipinfo.io/AS208843]
• amazon-aws/list.json - List of known Amazon AWS IP address ranges - Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)
• apple/list.json - List of known Apple IP ranges - IP ranges assigned to Apple
• automated-malware-analysis/list.json - List of known domains used by automated malware analysis services & security vendors - Domains used by automated malware analysis services & security vendors
• bank-website/list.json - List of known bank domains - Event contains one or more entries of known banking website
• bufferover-nt-scanning/list.json - Bufferover IP Ranges Used for Scanning - List containing IP’s associated with the Bufferover scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• captive-portals/list.json - Captive Portal Detection Hostnames - Hostnames used by different desktop and mobile device operating systems for captive portal detection as documented by the Wireless Broadband Alliance.
• censys-scanning/list.json - Censys IP Ranges Used for Scanning - List containing IP’s associated with Censys scanning [https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection#Can_I_opt_out_of_Censys_data_collection?]
• check-host-net/list.json - List of known check-host.net IP address ranges - check-host IP addresses (https://check-host.net/nodes/ips)
• cisco_top1000/list.json - Top 1000 websites from Cisco Umbrella - Event contains one or more entries from the top 1000 of the most used websites (Cisco Umbrella).
• cisco_top10k/list.json - Top 10 000 websites from Cisco Umbrella - Event contains one or more entries from the top 10 000 of the most used websites (Cisco Umbrella).
• cisco_top20k/list.json - Top 20 000 websites from Cisco Umbrella - Event contains one or more entries from the top 20 000 of the most used websites (Cisco Umbrella).
• cisco_top5k/list.json - Top 5000 websites from Cisco Umbrella - Event contains one or more entries from the top 5000 of the most used websites (Cisco Umbrella).
• cloudflare/list.json - List of known Cloudflare IP ranges - List of known Cloudflare IP ranges (https://www.cloudflare.com/ips/)
• coalition-signals-intelligence-nt-scanning/list.json - Coalition signals intelligence IP Ranges Used for Scanning - List containing IP’s associated with the Coalition signals intelligence scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• common-contact-emails/list.json - Common contact e-mail addresses - A list of commonly used abuse and contact e-mail addresses, including the ones denoted in RFC2142.
• common-ioc-false-positive/list.json - List of known hashes with common false-positives (based on Florian Roth input list) - Event contains one or more entries with common false-positives
• covid-19-cyber-threat-coalition-whitelist/list.json - Covid-19 Cyber Threat Coalition’s Whitelist - The Cyber Threat Coalition’s whitelist of COVID-19 related websites.
• covid-19-krassi-whitelist/list.json - Covid-19 Krassi’s Whitelist - Krassimir’s Covid-19 whitelist of known good Covid-19 related websites.
• covid/list.json - Valid covid-19 related domains - Maintained using different lists (such as Jaime Blasco’s and Krassimir’s lists).
• crl-hostname/list.json - CRL and OCSP domains - Domains that belongs to CRL or OCSP
• crl-ip/list.json - CRL and OCSP IP addresses - IP addresses that belongs to CRL or OCSP
• cybergreen-nt-scanning/list.json - Cybergreen IP Ranges Used for Scanning - List containing IP’s associated with the Cybergreen scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2025/12/10
• cyberresilience-nt-scanning/list.json - Cyberresilience IP Ranges Used for Scanning - List containing IP’s associated with the Cyberresilience scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• cypex-nt-scanning/list.json - Cypex IP Ranges Used for Scanning - List containing IP’s associated with the Cypex scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• dax30/list.json - List of known dax30 webpages - Event contains one or more entries of known dax30 webpages
• digitalside/list.json - OSINT.DigitalSide.IT Warning List - OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged
• disposable-email/list.json - List of disposable email domains - List of disposable email domains
• dynamic-dns/list.json - List of known dynamic DNS domains - Event contains one or more entries of known dynamic DNS domains.
• eicar.com/list.json - List of hashes for EICAR test virus - Event contains one or more entries based on hashes for EICAR test virus
• empty-hashes/list.json - List of known hashes for empty files - Event contains one or more entries of empty files based on known hashed
• f6-nt-scanning/list.json - F6 IP Ranges Used for Scanning - List containing IP’s associated with the F6 scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• fastly/list.json - List of known Fastly IP address ranges - Fastly IP address ranges (https://api.fastly.com/public-ip-list)
• findip-host/list.json - List of known hostname used for querying your source IP. This can be used as exclusion for your Passive DNS lookup. - Event contains one or more entries of known hostname querying your source IP.
• github/list.json - List of known GitHub IP ranges (https://api.github.com/meta) - GitHub IP address ranges (https://api.github.com/meta)
• google-chrome-crux-1million/list.json - google-chrome-crux-1million - Cached Chrome Top Million Websites - top 1 million
• google-gcp/list.json - List of known GCP (Google Cloud Platform) IP address ranges - GCP (Google Cloud Platform) IP address ranges (https://www.gstatic.com/ipranges/cloud.json)
• google-gmail-sending-ips/list.json - List of known Gmail sending IP ranges - List of known Gmail sending IP ranges (https://support.google.com/a/answer/27642?hl=en)
• google/list.json - List of known google domains - Event contains one or more entries of known google domains
• googlebot/list.json - List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json) - Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)
• internet-census-nt-scanning/list.json - Internet census IP Ranges Used for Scanning - List containing IP’s associated with the Internet census scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• intrinsec-nt-scanning/list.json - Intrinsec IP Ranges Used for Scanning - List containing IP’s associated with the Intrinsec scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• ipinfo-nt-scanning/list.json - Ipinfo IP Ranges Used for Scanning - List containing IP’s associated with the Ipinfo scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• ipip-nt-scanning/list.json - Ipip IP Ranges Used for Scanning - List containing IP’s associated with the Ipip scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• ipv6-linklocal/list.json - List of IPv6 link local blocks - Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)
• link-in-bio/list.json - List of known link in Bio domains - Event contains one or more entries of known Link in bio domains. Those shorten links are a reference to a list of links.
• lots-project/list.json - List of LOTS (Living Off Trusted Sites) Project Domains - List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection
• majestic_million/list.json - Top 10000 websites from Majestic Million - Event contains one or more entries from the top 10K of the most used websites (Majestic Million).
• microsoft-attack-simulator/list.json - List of known Office 365 Attack Simulator used for phishing awareness campaigns - Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence
• microsoft-azure-appid/list.json - List of Azure Applicaiton IDs - List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)
• microsoft-azure-china/list.json - List of known Microsoft Azure China Datacenter IP Ranges - Microsoft Azure China Datacenter IP Ranges
• microsoft-azure-germany/list.json - List of known Microsoft Azure Germany Datacenter IP Ranges - Microsoft Azure Germany Datacenter IP Ranges
• microsoft-azure-us-gov/list.json - List of known Microsoft Azure US Government Cloud Datacenter IP Ranges - Microsoft Azure US Government Cloud Datacenter IP Ranges
• microsoft-azure/list.json - List of known Microsoft Azure Datacenter IP Ranges - Microsoft Azure Datacenter IP Ranges
• microsoft-office365-cn/list.json - List of known Office 365 IP address ranges in China - Office 365 IP address ranges in China
• microsoft-office365-ip/list.json - List of known Office 365 IP address ranges - Office 365 IP address ranges
• microsoft-office365/list.json - List of known Office 365 URLs - Office 365 URLs and IP address ranges
• microsoft-win10-connection-endpoints/list.json - List of known Windows 10 connection endpoints - Event contains one or more entries of known Windows 10 connection endpoints (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints)
• microsoft/list.json - List of known microsoft domains - Event contains one or more entries of known microsoft domains
• modat-nt-scanning/list.json - Modat IP Ranges Used for Scanning - List containing IP’s associated with the Modat scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• modat-scanner/list.json - List of published IP address ranges for Modat Scanner - Modat Scanner (https://www.modat.io/)
• moz-top500/list.json - Top 500 domains and pages from https://moz.com/top500 - Event contains one or more entries from the top 500 of the most used domains from Moz.
• mozilla-CA/list.json - Fingerprint of trusted CA certificates - Fingerprint of trusted CA certificates taken from Mozilla’s lists at https://wiki.mozilla.org/CA
• mozilla-IntermediateCA/list.json - Fingerprint of known intermediate of trusted certificates - Fingerprint of known intermediate of trusted certificates taken from Mozilla’s lists at https://wiki.mozilla.org/CA
• multicast/list.json - List of RFC 5771 multicast CIDR blocks - Event contains one or more entries part of the RFC 5771 multicast CIDR blocks
• netsecscan-nt-scanning/list.json - Netsecscan IP Ranges Used for Scanning - List containing IP’s associated with the Netsecscan scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2025/12/10
• netsecscan-scanning/list.json - NetSecScan IP-Ranges, pot. used for Scanning - _List of NetSecScan.net scanners _
• nioc-filehash/list.json - List of known hashes for benign files - Event contains one or more benign files based on known hashes, see https://github.com/RichieB2B/nioc
• onyphe-nt-scanning/list.json - Onyphe IP Ranges Used for Scanning - List containing IP’s associated with the Onyphe scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• onyphe-scanner/list.json - List of published IP address ranges for Onyphe Scanner - Onyphe Scanner (https://www.onyphe.io/)
• openai-gptbot/list.json - List of known IP address ranges for OpenAI GPT crawler bot - OpenAI gptbot crawler (https://openai.com/gptbot-ranges.txt)
• ovh-cluster/list.json - List of known Ovh Cluster IP - OVH Cluster IP address (https://docs.ovh.com/fr/hosting/liste-des-adresses-ip-des-clusters-et-hebergements-web/)
• palo-alto-networks-cortex-xpanse/list.json - List of known IP address ranges for Palo Alto Networks Cortex Xpanse - Palo Alto Networks Cortex Xpanse (https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity)
• parking-domain-ns/list.json - Parking domains name server - List of parking domain’s name server
• parking-domain/list.json - Parking domains - List of parking domain’s ip adresses
• phone_numbers/list.json - Unattributed phone number. - Numbers that cannot be attributed because they reserved for different purposes.
• probethenet-nt-scanning/list.json - Probethenet IP Ranges Used for Scanning - List containing IP’s associated with the Probethenet scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• public-dns-hostname/list.json - List of known public DNS resolvers expressed as hostname - Event contains one or more public DNS resolvers (expressed as hostname) as attribute with an IDS flag set
• public-dns-v4/list.json - List of known IPv4 public DNS resolvers - Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set
• public-dns-v6/list.json - List of known IPv6 public DNS resolvers - Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set
• public-ipfs-gateways/list.json - List of known public IPFS gateways - Event contains one or more entries of known public IPFS gateways
• rapid7-nt-scanning/list.json - Rapid7 IP Ranges Used for Scanning - List containing IP’s associated with the Rapid7 scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• research-scanner-nt-scanning/list.json - Research scanner IP Ranges Used for Scanning - List containing IP’s associated with the Research scanner scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• rfc1918/list.json - List of RFC 1918 CIDR blocks - Event contains one or more entries part of the private network CIDR blocks (RFC 1918)
• rfc3849/list.json - List of RFC 3849 CIDR blocks - Event contains one or more entries part of the IPv6 documentation prefix (RFC 3849)
• rfc5735/list.json - List of RFC 5735 CIDR blocks - Event contains one or more entries part of the Special Use IPv4 Addresses CIDR blocks (RFC 5735)
• rfc6598/list.json - List of RFC 6598 CIDR blocks - Event contains one or more entries part of the Shared Address Space CIDR blocks (RFC 6598)
• rfc6761/list.json - List of RFC 6761 Special-Use Domain Names - Event contains one or more entries part of the Special-Use Domain Names (RFC 6761)
• second-level-tlds/list.json - Second level TLDs as known by Mozilla Foundation - Event contains one or more second level TLDs as attribute with an IDS flag set.
• security-provider-blogpost/list.json - List of known security providers/vendors blog domain - Event contains one or more entries of known security providers/vendors blog domain with an IDS flag set
• shadowforce-nt-scanning/list.json - Shadowforce IP Ranges Used for Scanning - List containing IP’s associated with the Shadowforce scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• shadowforce-scanning/list.json - Shadowforce IP-Ranges, pot. used for Scanning - _List of shadowforce.io scanners _
• shadowserver-nt-scanning/list.json - Shadowserver IP Ranges Used for Scanning - List containing IP’s associated with the Shadowserver scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• shadowserver/list.json - Shadowserver IP-Ranges, pot. used for Scanning - List of Shadowserver IP-Ranges. Potentially associated with Shadowserver scans. based on [https://bgp.he.net/search?search%5Bsearch%5D=shadowserver&commit=Search]
• shodan-nt-scanning/list.json - Shodan IP Ranges Used for Scanning - List containing IP’s associated with the Shodan scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• shodan-scanning/list.json - Shodan IP-Ranges, pot. used for Scanning - _List of Shodan.io scanners _
• sinkholes/list.json - List of known sinkholes - List of known sinkholes
• skipa-nt-scanning/list.json - Skipa IP Ranges Used for Scanning - List containing IP’s associated with the Skipa scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• smtp-receiving-ips/list.json - List of known SMTP receiving IP addresses - List of IP addresses for known SMTP servers.
• smtp-sending-ips/list.json - List of known SMTP sending IP ranges - List of IP ranges for known SMTP servers.
• stackpath/list.json - List of known Stackpath CDN IP ranges - List of known Stackpath (Highwinds) CDN IP ranges (https://support.stackpath.com/hc/en-us/articles/360001091666-Whitelist-CDN-WAF-IP-Blocks)
• stretchoid-nt-scanning/list.json - Stretchoid IP Ranges Used for Scanning - List containing IP’s associated with the Stretchoid scanners. This scanner CIDR range is extracted from CIRCL Network Telescope analysis on 2026/03/13
• telegram-ips/list.json - List of known Telegram IP address ranges - Telegram IP address ranges (https://core.telegram.org/resources/cidr.txt)
• tenable-cloud-ipv4/list.json - List of known Tenable Cloud Sensors IPv4 - Tenable IPv4 Cloud Sensor addresses used for scanning Internet-facing infrastructure
• tenable-cloud-ipv6/list.json - List of known Tenable Cloud Sensors IPv6 - Tenable IPv6 Cloud Sensor addresses used for scanning Internet-facing infrastructure
• ti-falsepositives/list.json - Hashes that are often included in IOC lists but are false positives. - Hashes that are often included in IOC lists but are false positives.
• tlds/list.json - TLDs as known by IANA - Event contains one or more TLDs as attribute with an IDS flag set
• tranco/list.json - Top 1,000,000 most-used sites from Tranco - Event contains one or more entries from the top 1,000,000 most-used sites (https://tranco-list.eu/).
• tranco10k/list.json - Top 10K most-used sites from Tranco - Event contains one or more entries from the top 10K most-used sites (https://tranco-list.eu/).
• umbrella-blockpage-hostname/list.json - cisco-umbrella-blockpage-hostname - Umbrella blockpage hostnames
• umbrella-blockpage-v4/list.json - cisco-umbrella-blockpage-ipv4 - Cisco Umbrella blockpage in IPv4
• umbrella-blockpage-v6/list.json - cisco-umbrella-blockpage-ipv6 - Cisco Umbrella blockpage in IPv6
• university_domains/list.json - University domains - List of University domains from https://raw.githubusercontent.com/Hipo/university-domains-list/master/world_universities_and_domains.json
• url-shortener/list.json - List of known URL Shorteners domains - Event contains one or more entries of known Shorteners domains
• vpn-ipv4/list.json - Specialized list of vpn-ipv4 addresses belonging to common VPN providers and datacenters - Specialized list of vpn-ipv4 addresses belonging to common VPN providers and datacenters
• vpn-ipv6/list.json - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters
• whats-my-ip/list.json - List of known domains to know external IP - Event contains one or more entries of known ‘what’s my ip’ domains
• wikimedia/list.json - List of known Wikimedia address ranges - Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)
• windows-binary-hashes/list.json - List of known hashes for Windows binaries - List of known Windows binaries based on hashes from winbindex (https://github.com/m417z/winbindex)
• zscaler/list.json - List of known Zscaler IP address ranges - Zscaler IP address ranges (https://config.zscaler.com/api/zscaler.net/hubs/cidr/json/recommended)

Format of a warning list

{
  "name": "List of known public DNS resolvers",
  "version": 1,
  "description": "Event contains one or more public DNS resolvers as attribute with an IDS flag set",
  "matching_attributes": [
    "ip-src",
    "ip-dst"
  ],
  "list": [
    "8.8.8.8",
    "8.8.4.4",
    "208.67.222.222",
    "208.67.220.220",
    "195.46.39.39",
    "195.46.39.40"
  ]
}

If matching_attributes are not set, the list is matched against any type of attributes.

type of warning list

• string (default) - perfect match of a string in the warning list against matching attributes
• substring - substring matching of a string in the warning list against matching attributes
• hostname - hostname matching (e.g. domain matching from URL) of a string in the warning list against matching attributes
• cidr - IP or CDIR block matching in the warning list against matching attributes
• regex - regex matching of a string matching attributes

Processing warning lists in python

See PyMISPWarningLists for a python interface to warning lists.

Using warning lists in Earthly builds

Lists are exposed to Earthly builds through the target export-lists. Earthfiles can directly reference them in their copy statements as follows:

COPY github.com/MISP/misp-warninglists[:commit]+export-lists/lists/<list-name>/list.json ./

License

MISP warning-lists are licensed under CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication. If a specific author of a warning-list (or associated source) wants to license it under a different license, a pull request can be requested.