Datasets
PassiveTotal centralizes numerous data sets into a single platform, making it easier for our community and customers to conduct infrastructure analysis. Our primary focus is to provide as much data as possible about Internet infrastructure.
Passive DNS
Passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice verse. This data set allows for time based correlation based on domain or IP overlap.
WHOIS
A protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within the WHOIS record content.
SSL Certificates
SSL certificates are files that digitally bind a cryptographic key to a set of user-provided details. Using internet-scanning techniques, PassiveTotal collects SSL certificate associations from IP addresses on various ports. These certificates are stored inside of a local database and allow us to create a timeline for where a given SSL certificate appeared on the Internet.
Malware
Malicious software used in attacks or found on the Internet. Outlines capabilities, intent and motives of an attacker. Aids in connecting back to infrastructure.
Open Source Intelligence
Long and short form reporting developed by individuals and companies combined with data feeds of known bad infrastructure. This data set provides context to the actors, campaign or malicious infrastructure.
Trackers
Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity.
Our tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky and is continuing to grow on a regular basis.
Host Pairs
Host pairs are two domains (a parent and a child) that shared a connection observed from a RiskIQ crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.