Cyber Ninja Logo
Technical Deep Dive

Implementing a FireHOL Connector for OpenCTI

September 22, 2025 10 min read Cyber Ninja Team
Implementing a FireHOL Connector for OpenCTI

Threat intelligence platforms are only as good as the data they ingest. While commercial threat feeds provide valuable indicators of compromise (IOCs), community-driven projects like FireHOL offer high-quality, frequently-updated IP blocklists that can significantly enhance your threat detection capabilities.

In this technical deep dive, we’ll explore how to build a custom connector that integrates FireHOL’s IP blocklists into OpenCTI, a powerful open-source threat intelligence platform.

What is FireHOL?

FireHOL maintains curated lists of malicious IP addresses aggregated from multiple sources including:

  • Malware C2 servers
  • Botnet controllers
  • Known attackers
  • Spam sources
  • Scanning hosts

These lists are updated frequently and are freely available, making them an excellent complement to commercial threat feeds.

What is OpenCTI?

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform for managing cyber threat intelligence data. It provides:

  • Structured storage of threat data (STIX 2.1 format)
  • Relationship mapping between entities
  • Visualization and analysis tools
  • Integration with security tools via API

Why Build a Connector?

OpenCTI’s connector architecture allows automated ingestion of external threat data. A FireHOL connector:

  • Automates IP blocklist updates
  • Enriches existing threat intelligence
  • Provides context about IP reputation
  • Enables correlation with other threat data

Architecture Overview

FireHOL Repository → Connector → OpenCTI API → OpenCTI Database

                                                 Security Tools

The connector operates as a standalone service that:

  1. Periodically fetches FireHOL lists
  2. Parses IP addresses and metadata
  3. Converts to STIX 2.1 format
  4. Pushes to OpenCTI via API

Implementation

Prerequisites

  • Python 3.8+
  • OpenCTI instance with API access
  • pycti library
  • requests library

Connector Structure

from pycti import OpenCTIConnectorHelper
import requests
import time
from datetime import datetime

class FireHOLConnector:
    def __init__(self):
        self.helper = OpenCTIConnectorHelper(config)
        self.firehol_url = "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/"
        
    def fetch_blocklist(self, list_name):
        """Fetch a FireHOL blocklist"""
        url = self.firehol_url + list_name
        response = requests.get(url)
        return response.text if response.status_code == 200 else None
    
    def parse_ips(self, content):
        """Parse IP addresses from blocklist"""
        ips = []
        for line in content.split('\n'):
            line = line.strip()
            if line and not line.startswith('#'):
                ips.append(line)
        return ips
    
    def create_indicator(self, ip, list_name):
        """Create STIX indicator for IP"""
        return {
            'type': 'indicator',
            'pattern': f"[network-traffic:src_ref.value = '{ip}']",
            'pattern_type': 'stix',
            'labels': ['malicious-activity', f'firehol-{list_name}'],
            'valid_from': datetime.utcnow().isoformat(),
            'name': f'Malicious IP from FireHOL {list_name}',
        }
    
    def sync_list(self, list_name):
        """Synchronize a FireHOL list to OpenCTI"""
        content = self.fetch_blocklist(list_name)
        if not content:
            return
        
        ips = self.parse_ips(content)
        
        for ip in ips:
            indicator = self.create_indicator(ip, list_name)
            self.helper.send_stix2_bundle(indicator)
        
        print(f"Synced {len(ips)} IPs from {list_name}")

Configuration

The connector requires configuration via environment variables or config file:

opencti:
  url: 'https://opencti.yourorg.com'
  token: 'your-api-token'

connector:
  id: 'firehol-connector'
  name: 'FireHOL'
  scope: 'ipv4-addr'
  interval: 3600  # Sync every hour
  
firehol:
  lists:
    - 'firehol_level1.netset'
    - 'firehol_level2.netset'
    - 'firehol_level3.netset'

Deployment

The connector can run as:

  • Docker container: Easiest deployment
  • Kubernetes pod: For enterprise environments
  • Standalone service: On dedicated VM

Performance Considerations

Batch Processing

Don’t create individual API calls for each IP. Batch them:

def sync_batch(self, ips, batch_size=1000):
    for i in range(0, len(ips), batch_size):
        batch = ips[i:i+batch_size]
        bundle = self.create_stix_bundle(batch)
        self.helper.send_stix2_bundle(bundle)

Deduplication

Track already-imported IPs to avoid duplicates:

def should_import(self, ip):
    # Check if IP already exists in OpenCTI
    existing = self.helper.api.indicator.read(
        filters=[{"key": "pattern", "values": [ip]}]
    )
    return not existing

Rate Limiting

Respect both FireHOL and OpenCTI API limits:

time.sleep(0.1)  # Between API calls
time.sleep(60)   # Between list fetches

Integration with Interceptor NDR

Once FireHOL data is in OpenCTI, you can integrate it with Cyber Ninja’s Interceptor NDR:

  1. Automatic Blocking: Sensors automatically block IPs from high-confidence lists
  2. Alert Enrichment: Detections include FireHOL context
  3. Threat Hunting: Query for traffic to/from known-bad IPs
  4. Reporting: Track blocked threats by source list

Best Practices

1. Start with Level 1

FireHOL’s Level 1 list contains the highest-confidence threats. Start there before adding Level 2 and 3.

2. Set Expiration

Threat data gets stale. Set validity periods:

'valid_until': (datetime.utcnow() + timedelta(days=30)).isoformat()

3. Monitor False Positives

Track blocked connections and investigate any legitimate services caught in blocklists.

4. Document Sources

Tag each indicator with its source list for traceability.

Advanced Features

Confidence Scoring

Different FireHOL lists have different reliability:

confidence_map = {
    'level1': 90,
    'level2': 70,
    'level3': 50
}

Relationship Mapping

Link related indicators:

# If IP appears in multiple lists
relationship = {
    'source_ref': indicator1_id,
    'relationship_type': 'related-to',
    'target_ref': indicator2_id
}

Automated Response

Configure SOAR playbooks triggered by FireHOL indicators:

  1. IP appears in Level 1 list
  2. OpenCTI creates indicator
  3. SOAR receives webhook
  4. Firewall rule auto-created
  5. NDR sensors block traffic

Monitoring and Maintenance

Track connector health:

  • Sync status: Last successful update
  • Error rate: Failed imports
  • Coverage: IPs imported vs total in lists
  • Performance: Sync duration

Conclusion

A FireHOL connector for OpenCTI provides:

  • Free, high-quality threat intelligence
  • Automated updates of malicious IP lists
  • Enhanced detection capabilities
  • Seamless integration with security tools

Combined with Cyber Ninja’s Interceptor NDR, you get comprehensive network protection powered by both community intelligence and AI-driven autonomous detection.

Getting Started

The complete connector code is available on GitHub. Integration with Interceptor NDR requires configuration in the platform’s threat intelligence settings.

Ready to enhance your threat intelligence? Contact us to learn about Interceptor NDR’s threat intelligence capabilities.

Code Repository

Find the complete FireHOL connector implementation at: github.com/cyber-ninja/opencti-firehol-connector

Further Reading

  • OpenCTI Documentation
  • FireHOL IP Lists Repository
  • STIX 2.1 Specification
  • Cyber Ninja Interceptor API Documentation
Back to Blog
Share:

Ready to enhance your security posture?

Get Started with Interceptor NDR