The InfoSec community is highly active on Twitter. The platform is, among other things, used is for sharing malware and phishing URLs through the #opendir hashtag. Very useful for correlating with DNS traffic, but not often used due to the difficulty of interpreting Twitter feeds in an automated manner. This post goes into how Twitter can be used as a threat intelligence feed.

I’ve written a small program that receives a stream of tweets containing URLs using ‘hxxp://’ and ‘hxxps://’. This is the format malicious URLs are often shared in to prevent users from accidentally clicking on them. The program I wrote retrieves these tweets, parses the Twitter response and extracts the malicious URLs. The feed is available at twitter.threatintel.rocks and is made to be interpreted by machines.

Pretty printing the feed using the JQ tool, a JS