Skip to main content

Threat Feeds API

The Threat Feeds API provides a plain text feed of IP addresses and IP ranges from block rules (threats). Countries and ASNs are automatically resolved to IP ranges, making it suitable for integration with firewalls, intrusion detection systems, and other security tools.

Base URL

https://api.gen0sec.com

Authentication

The API supports two authentication methods:

Bearer Token Authentication

Authorization: Bearer <your-api-key>

Basic Authentication

Basic Authentication uses HTTP Basic Auth with:

  • Username: api (literal string)
  • Password: Your API key

The credentials are base64-encoded in the format api:your-api-key.

Manual Encoding:

# Encode credentials manually
echo -n "api:your-api-key" | base64
# Output: YXBpOnlvdXItYXBpLWtleQ==

Using cURL:

cURL automatically handles Basic Auth encoding when using the -u flag:

curl -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds"

Using Authorization Header:

# Base64 encode: api:your-api-key
Authorization: Basic YXBpOnlvdXItYXBpLWtleQ==

Endpoints

Get Threat Feed

Retrieve a flat list of IP addresses and IP ranges from block rules (threats).

Endpoint: GET /v1/threat/feeds

Response Format: Plain text (text/plain)

Response Content:

The response is a plain text list with one IP address or IP range per line. The feed includes:

  • Direct IP addresses from block rules (automatically normalized with /32 for IPv4 or /128 for IPv6)
  • IP ranges resolved from blocked countries
  • IP ranges resolved from blocked ASNs

All IPs are deduplicated and sorted for consistent output.

Response Example:

192.168.1.0/24
192.168.1.100/32
10.0.0.0/8
2001:db8::/32
2001:db8::1/128

Success (200):

Content-Type: text/plain; charset=utf-8

192.168.1.0/24
192.168.1.100/32
10.0.0.0/8
2001:db8::/32

Error (400):

{
  "success": false,
  "error": "Missing org_id in context",
  "details": {}
}

Error (401):

{
  "success": false,
  "error": "Unauthorized - invalid or missing API key",
  "details": {}
}

Error (500):

{
  "success": false,
  "error": "Internal server error",
  "details": {}
}

Features

  • Automatic Resolution: Countries and ASNs are automatically resolved to IP ranges using MaxMind GeoIP databases
  • Deduplication: Duplicate IP addresses and ranges are automatically removed
  • Sorted Output: IPs are sorted for consistent, predictable output
  • Caching: Responses are cached for 30 seconds to improve performance
  • IPv4 and IPv6 Support: Handles both IPv4 and IPv6 addresses and ranges

Interactive Documentation

Interactive API documentation is available at:

https://api.gen0sec.com/docs/feeds/swagger/

Example Usage

cURL with Bearer Token

curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -H "Authorization: Bearer your-api-key" \
  -H "Accept: text/plain"

cURL with Basic Authentication

curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -u "api:your-api-key" \
  -H "Accept: text/plain"

Python

Using Bearer Token:

import requests

url = "https://api.gen0sec.com/v1/threat/feeds"
headers = {
    "Authorization": "Bearer your-api-key",
    "Accept": "text/plain"
}

response = requests.get(url, headers=headers)
if response.status_code == 200:
    # Process the IP list
    ip_list = response.text.strip().split('\n')
    for ip in ip_list:
        print(f"Block IP: {ip}")
else:
    print(f"Error: {response.status_code} - {response.text}")

Using Basic Auth:

import requests
from requests.auth import HTTPBasicAuth

url = "https://api.gen0sec.com/v1/threat/feeds"
response = requests.get(
    url,
    auth=HTTPBasicAuth("api", "your-api-key"),
    headers={"Accept": "text/plain"}
)

if response.status_code == 200:
    ip_list = response.text.strip().split('\n')
    for ip in ip_list:
        print(f"Block IP: {ip}")
else:
    print(f"Error: {response.status_code} - {response.text}")

Using Basic Auth with Manual Encoding:

import requests
import base64

url = "https://api.gen0sec.com/v1/threat/feeds"
api_key = "your-api-key"

# Encode credentials
credentials = f"api:{api_key}"
encoded = base64.b64encode(credentials.encode()).decode()

headers = {
    "Authorization": f"Basic {encoded}",
    "Accept": "text/plain"
}

response = requests.get(url, headers=headers)
if response.status_code == 200:
    ip_list = response.text.strip().split('\n')
    for ip in ip_list:
        print(f"Block IP: {ip}")

Go

Using Bearer Token:

package main

import (
    "bufio"
    "fmt"
    "net/http"
    "strings"
)

func main() {
    url := "https://api.gen0sec.com/v1/threat/feeds"

    req, _ := http.NewRequest("GET", url, nil)
    req.Header.Set("Authorization", "Bearer your-api-key")
    req.Header.Set("Accept", "text/plain")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    scanner := bufio.NewScanner(resp.Body)
    for scanner.Scan() {
        ip := strings.TrimSpace(scanner.Text())
        if ip != "" {
            fmt.Printf("Block IP: %s\n", ip)
        }
    }
}

Using Basic Auth:

package main

import (
    "bufio"
    "encoding/base64"
    "fmt"
    "net/http"
    "strings"
)

func main() {
    url := "https://api.gen0sec.com/v1/threat/feeds"
    apiKey := "your-api-key"

    req, _ := http.NewRequest("GET", url, nil)

    // Encode credentials for Basic Auth
    credentials := fmt.Sprintf("api:%s", apiKey)
    encoded := base64.StdEncoding.EncodeToString([]byte(credentials))
    req.Header.Set("Authorization", fmt.Sprintf("Basic %s", encoded))
    req.Header.Set("Accept", "text/plain")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    scanner := bufio.NewScanner(resp.Body)
    for scanner.Scan() {
        ip := strings.TrimSpace(scanner.Text())
        if ip != "" {
            fmt.Printf("Block IP: %s\n", ip)
        }
    }
}

Bash Script for Firewall Integration

Using Bearer Token:

#!/bin/bash

# Fetch threat feed
THREAT_FEED=$(curl -s -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -H "Authorization: Bearer your-api-key" \
  -H "Accept: text/plain")

# Process each IP/range
echo "$THREAT_FEED" | while read -r ip_range; do
    if [ -n "$ip_range" ]; then
        # Add to firewall rules (example for iptables)
        # iptables -A INPUT -s "$ip_range" -j DROP
        echo "Blocking: $ip_range"
    fi
done

Using Basic Auth:

#!/bin/bash

API_KEY="your-api-key"

# Fetch threat feed using Basic Auth
THREAT_FEED=$(curl -s -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -u "api:${API_KEY}" \
  -H "Accept: text/plain")

# Process each IP/range
echo "$THREAT_FEED" | while read -r ip_range; do
    if [ -n "$ip_range" ]; then
        # Add to firewall rules (example for iptables)
        # iptables -A INPUT -s "$ip_range" -j DROP
        echo "Blocking: $ip_range"
    fi
done

Use Cases

Firewall Integration

Use the feed to automatically update firewall rules:

Using Bearer Token:

# Download feed
curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -H "Authorization: Bearer your-api-key" \
  -o /tmp/threat-feeds.txt

# Update firewall rules (example)
while IFS= read -r ip_range; do
    iptables -A INPUT -s "$ip_range" -j DROP
done < /tmp/threat-feeds.txt

Using Basic Auth:

# Download feed using Basic Auth
curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -u "api:your-api-key" \
  -o /tmp/threat-feeds.txt

# Update firewall rules (example)
while IFS= read -r ip_range; do
    iptables -A INPUT -s "$ip_range" -j DROP
done < /tmp/threat-feeds.txt

Intrusion Detection Systems

Import the feed into your IDS/IPS:

Using Bearer Token:

# Download and format for Snort
curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -H "Authorization: Bearer your-api-key" | \
  sed 's/^/var THREAT_IPS [/' | \
  sed 's/$/]/' > /etc/snort/threat-feeds.rules

Using Basic Auth:

# Download and format for Snort using Basic Auth
curl -X GET "https://api.gen0sec.com/v1/threat/feeds" \
  -u "api:your-api-key" | \
  sed 's/^/var THREAT_IPS [/' | \
  sed 's/$/]/' > /etc/snort/threat-feeds.rules

Scheduled Updates

Set up a cron job to regularly update your threat feeds:

# Add to crontab (runs every hour)
0 * * * * /usr/local/bin/update-threat-feeds.sh

Firewall Platform Integration

The Threat Feeds API is designed to integrate seamlessly with major firewall platforms. Below are implementation examples for popular enterprise firewalls.

Palo Alto Networks

Palo Alto Networks firewalls support Dynamic Block Lists (DBL) or External Block Lists (EBL) that can fetch threat feeds from external URLs.

Configuration Steps:

  1. Navigate to Objects > Dynamic Block List
  2. Click Add to create a new block list
  3. Configure the feed:
    • Name: Gen0Sec Threat Feed
    • Source URL: https://api.gen0sec.com/v1/threat/feeds
    • Authentication: Configure Basic Auth with username api and your API key as password

Using Basic Auth:

# Test the feed URL first
curl -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds" -o /tmp/dbl.txt

# Verify the file is accessible
cat /tmp/dbl.txt

PAN-OS Configuration:

  1. Go to Objects > Dynamic Block List
  2. Click Add
  3. Enter the following:
    • Name: Gen0Sec-Threat-Feed
    • Source URL: https://api.gen0sec.com/v1/threat/feeds
    • Source Type: URL
  4. Click Test Source URL to verify connectivity
  5. Configure authentication:
    • Authentication Type: Basic
    • Username: api
    • Password: Your Gen0Sec API key

Apply to Security Policy:

  1. Navigate to Policies > Security
  2. Edit your security policy
  3. Add the Dynamic Block List to the Source or Destination field
  4. Set action to Deny

For more details, see the Palo Alto Networks documentation.

Cisco ASA FirePOWER Services

Cisco FirePOWER supports custom IP reputation feeds that can be configured through ASDM or the FirePOWER Management Center.

Configuration via ASDM:

  1. Navigate to Configuration > ASA FirePOWER Configuration > Object Management > Security Intelligence > Network Lists and Feeds
  2. Click Add Network Lists and Feeds
  3. Configure the feed:
    • Name: Gen0Sec Threat Feed
    • Type: Select Feed from dropdown
    • Feed URL: https://api.gen0sec.com/v1/threat/feeds
    • Update Frequency: Set to desired interval (e.g., every 1 minute)
    • Authentication: Configure Basic Auth with username api and your API key

Using Basic Auth:

The feed URL should include authentication. You can use Basic Auth:

# Test the feed
curl -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds"

Configure Security Intelligence:

  1. Navigate to Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy
  2. Select the Security Intelligence tab
  3. Move Gen0Sec Threat Feed to the Blacklist column
  4. Enable logging if desired
  5. Click Store ASA FirePOWER Changes

Deploy Policy:

  1. Click Deploy and select Deploy FirePOWER Changes
  2. Monitor deployment status in Monitoring > ASA Firepower Monitoring > Task Status

Manual Feed Upload (Alternative):

If you prefer to upload a file instead:

# Download the feed
curl -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds" -o gen0sec-feeds.txt

# Upload via ASDM:
# 1. Navigate to Object Management > Security Intelligence > Network Lists and Feeds
# 2. Click Add Network Lists and Feeds
# 3. Type: Select "List"
# 4. Upload List: Browse and select gen0sec-feeds.txt

For more details, see the Cisco ASA FirePOWER documentation.

Fortinet FortiGate

FortiGate firewalls support External Block Lists (EBL) that can fetch threat intelligence feeds from external sources.

Configuration via Web UI:

  1. Navigate to Security Fabric > External Connectors > External Block List
  2. Click Create New
  3. Configure the feed:
    • Name: Gen0Sec Threat Feed
    • Type: IP Address
    • Source: URL
    • URL: https://api.gen0sec.com/v1/threat/feeds
    • Update Frequency: Set desired interval (e.g., 1 minute)

Authentication Configuration:

FortiGate supports HTTP Basic Authentication for external feeds:

  1. In the External Block List configuration, enable Authentication
  2. Authentication Type: Basic
  3. Username: api
  4. Password: Your Gen0Sec API key

CLI Configuration:

config system external-resource
    edit "Gen0Sec-Threat-Feed"
        set type address
        set category 0
        set resource "https://api.gen0sec.com/v1/threat/feeds"
        set username "api"
        set password "your-api-key"
        set update-interval 3600
    next
end

Apply to Firewall Policy:

  1. Navigate to Policy & Objects > Firewall Policy
  2. Edit your firewall policy
  3. In Source or Destination, add the External Block List
  4. Set action to Deny or Block

Verify Feed Status:

# Check feed status
diagnose external-resource list

# Force update
execute external-resource update Gen0Sec-Threat-Feed

For more details, see the Fortinet FortiGate documentation.

Sophos Firewall

Sophos Firewall supports third-party threat feeds that can be integrated into Active Threat Response policies.

Configuration Steps:

  1. Navigate to Threat Protection > Active Threat Response > Configure Feeds
  2. Click Add Feed
  3. Configure the feed:
    • Feed Name: Gen0Sec Threat Feed
    • Feed Type: IP Address List
    • Feed URL: https://api.gen0sec.com/v1/threat/feeds
    • Update Frequency: Set to desired interval (e.g., Every 1 minute)

Authentication:

Sophos Firewall supports HTTP Basic Authentication:

  1. In the feed configuration, enable Authentication
  2. Authentication Type: Basic
  3. Username: api
  4. Password: Your Gen0Sec API key

Apply to Active Threat Response Policy:

  1. Navigate to Threat Protection > Active Threat Response > Policies
  2. Create or edit a policy
  3. Add the Gen0Sec Threat Feed to the Blocked IPs section
  4. Configure action (Block, Drop, or Log)

CLI Configuration (Alternative):

# Configure via CLI
system threat-feed add name "Gen0Sec-Threat-Feed" \
    type ip \
    url "https://api.gen0sec.com/v1/threat/feeds" \
    username "api" \
    password "your-api-key" \
    update-interval 3600

Verify Feed:

  1. Navigate to Threat Protection > Active Threat Response > Configure Feeds
  2. Check the feed status and last update time
  3. Click Update Now to manually refresh the feed

For more details, see the Sophos Firewall documentation.

General Integration Tips

Feed Format:

The Threat Feeds API returns a plain text list with one IP address or IP range per line:

192.168.1.0/24
10.0.0.0/8
2001:db8::/32

Authentication:

All platforms support HTTP Basic Authentication:

  • Username: api (literal string)
  • Password: Your Gen0Sec API key

Update Frequency:

Recommended update intervals:

  • High-security environments: Every 15-30 minutes
  • Standard environments: Every 1-4 hours
  • Low-priority feeds: Every 12-24 hours

Testing the Feed:

Before configuring in your firewall, test the feed URL:

# Test with Basic Auth
curl -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds" | head -20

# Verify authentication works
curl -I -u "api:your-api-key" "https://api.gen0sec.com/v1/threat/feeds"

Monitoring:

  • Monitor feed update status in your firewall's management interface
  • Set up alerts for feed update failures
  • Review firewall logs to verify blocks are being applied
  • Check feed size and update frequency to ensure timely threat protection

Rate Limits

API rate limits apply to prevent abuse. Contact support if you need higher limits.

Caching

Responses are cached for 30 seconds. For real-time updates, consider implementing your own caching strategy or polling more frequently than the cache TTL.

Support

For API support, visit: