ThreatHive Integration Guide

Ensure CrowdSec is Installed:
- Follow the official guide at docs.crowdsec.net if not already installed.

Create the ThreatHive Import Script:

Save the following script to /usr/local/bin/import_threathive.sh and make it executable:

#!/bin/bash

BLOCKLIST_URL="https://threathive.net/hiveblocklist.txt"
TMPFILE="/tmp/hiveblocklist.txt"
IMPORTFILE="/tmp/hiveblocklist_bulk.json"

# Download blocklist
curl -s "$BLOCKLIST_URL" -o "$TMPFILE" || exit 1

# Remove existing imported decisions
sudo cscli decisions delete --origin "cscli-import" > /dev/null

# Create bulk JSON
echo "[" > "$IMPORTFILE"
first=1
while read -r ip; do
    [[ "$ip" =~ ^#.*$ || -z "$ip" ]] && continue
    if [ $first -eq 0 ]; then
        echo "," >> "$IMPORTFILE"
    fi
    echo "{\"type\": \"ban\", \"value\": \"$ip\", \"origin\": \"threathive\", \"scenario\": \"external blocklist\", \"duration\": \"24h\"}" >> "$IMPORTFILE"
    first=0
done < "$TMPFILE"
echo "]" >> "$IMPORTFILE"

# Import in bulk
sudo cscli decisions import -i "$IMPORTFILE" --duration 24h

Make it executable:

sudo chmod +x /usr/local/bin/import_threathive.sh

Run the Script Manually:

Execute the script to fetch and ban the latest IPs:

sudo /usr/local/bin/import_threathive.sh

Sample output:

INFO[0000] 0 decision(s) deleted
Parsing json
You are about to add 88994 decisions, this may take a while

Verify Imported Bans:

Check that IPs were successfully added:

sudo cscli decisions list

You should see IPs like:

| 204335 | threathive | Ip:1.0.254.208 | threathive | ban | ... |

Automate Daily Import with Cron:
- Edit the root crontab:
- Add this line to run the script every day at midnight and suppress output:

ThreatHive Integration Guide - CrowdSec

Integration Steps