MalPipe - Malware/IOC ingestion and processing engine.

MalPipe – Malware/IOC ingestion and processing engine.

MalPipe is a modular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.

MalPipe v1.0

At this time, the following feeds are supported:
+ VirusTotal (
+ MalShare (
+ BambenekFeeds (
+ FeodoBlockList (
+ Malc0deIPList (
+ NoThinkIPFeeds (
+ OpenPhishURLs (
+ TorNodes (

+ Python 2.7.x

Modules for MalPipe located under malpipe/ by type:
– Feeds
An example configuration is provided in config_example.json with settings to get started. This file contains a JSON object containing the required settings for each feed / processor / exporter.

– Processors
Processors are used to enrich/standardize the collected. For example, data from VirusTotal contains yara results for each file collected, whereas MalShare does not. By adding, YaraScan to the PROCESSORS key, you can scan the files to also include this data.

– Exporters
The final components is exporters, these control where the data goes. These can be used to export collected data to a malware repository, a SIEM, JSON Log files or printed for the user.

Use and Download: