We offer a handful datasets for download that may help you to spot and identify harmfull network traffic entering your network (e.g. network attacks) or leaving your network (e.g. infected machines calling out to a botnet C2). The datasets are being generated every 15 minutes. Hence you should not download it more often every 15 minutes (in fact, once per hour should be sufficent).

All data is offered "as it is" and on "best-effort". It can be used for commercial purpose (e.g. by vendors, integration in commercial products) or non-commercial purpose (e.g. to protect your home or corporate network) without any limitation. Please consider that we can not held liable for any damage caused by the use of our datasets.

Snort and Suricata are two open source network intrusion detection and preventation systems (IDS / IPS). Both systems are rule based and watch out for malicious network traffic entering and leaving your network. We offer a Snort / Suricata ruleset that will help you to detect network traffic from / to suspect networks. The ruleset is watching out for both, incoming and outgoing, network traffic (TCP or UDP).


DNS Response Policy Zone (RPZ) is a modern technique to block DNS resolution to certain IP addresses. We offer a RPZ dataset too which allows you to catch domain names that resolve to suspect networks. You can download the RPZ zone below.


You can also obtain the suspect-networks.io RPZ zone via DNS zone transfer (AXFR). The AXFR server is donated and operated by Paul Vixie and reachable as documented below.

RPZ zone: rpz.suspect-networks.io
AXFR server: (or via IPv6: 2001:559:8000::2)

You can trigger an AXFR from any IP address, for example by using the unix tool dig:

dig axfr rpz.suspect-networks.io @ns.lah1.vix.su

Further information on how to configure supsect-networks.io as a DNS Response Policy Zone (RPZ) on your local DNS server can be found in our FAQ.

We also offer plain-text datasets the following plain-text datasets: text only and CSV (Comma separated values). While the CSV conatins additional information, for example listing date and asnumber, the text only dataset does only contain the prefix listed on suspect-networks.io.

Text only CSV