parser: regex
defaults:
  confidence: 85
  tlp: green
  altid_tlp: white
  provider: malwaredomains.com

feeds:
  domains:
    remote: http://malwaredomains.lehigh.edu/files/domains.zip
    parser: delim
    pattern: '[\t|\f]'
    values:
      - null
      - null
      - observable
      - description
      - null
      - null
    tags:
      - exploit
      - malware

  registrars:
    remote: http://mirror1.malwaredomains.com/files/bulk_registrars.zip
    confidence: 65
    pattern: '([a-zA-Z-]+\.[a-z]{2,3})'
    values: observable
    tags: suspicious
    description: bulk domain registration services

  url_shorteners:
    remote: http://mirror1.malwaredomains.com/files/url_shorteners.zip
    description: 'url shortening service'
    tags: whitelist
    confidence: 85
    pattern: '^(\S+)'
    values: observable