Ming Di Leom
parent
efffbe59f8
commit
5da2fcc391
30
README.md
30
README.md
|
|
@ -17,9 +17,17 @@
|
|||
- [CI Variables](#ci-variables)
|
||||
- [License](#license)
|
||||
|
||||
A blocklist of botnet IPs, based on the **Botnet C2 IOCs** of Abuse.ch [Feodo Tracker](https://feodotracker.abuse.ch/blocklist/#iocs), including online and offline entries. Blocklist is updated twice a day.
|
||||
A blocklist of malicious IPs compiled from these sources (discovered through [banip](https://github.com/openwrt/packages/blob/master/net/banip/files/banip.feeds)):
|
||||
- [Feodo Tracker](https://feodotracker.abuse.ch/downloads/ipblocklist.txt)
|
||||
- [IPsum Level 3](https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt)
|
||||
- [Binary Defense](https://www.binarydefense.com/banlist.txt)
|
||||
- [Proofpoint Emerging Threats](https://rules.emergingthreats.net/blockrules/compromised-ips.txt)
|
||||
- [GreenSnow](https://blocklist.greensnow.co/greensnow.txt)
|
||||
- [Threatview.io](https://threatview.io/Downloads/IP-High-Confidence-Feed.txt)
|
||||
- [Myip.ms](https://myip.ms/files/blacklist/general/latest_blacklist.txt)
|
||||
- [FireHOL](https://iplists.firehol.org/files/firehol_webclient.netset)
|
||||
|
||||
This blocklist is only useful as a last line of defence _after_ being infected. To avoid infection in the first place, consider using [urlhaus-filter](https://gitlab.com/malware-filter/urlhaus-filter).
|
||||
Blocklist is updated twice a day.
|
||||
|
||||
| Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
|
||||
| --- | --- | --- | --- | --- | --- | --- |
|
||||
|
|
@ -165,4 +173,22 @@ https://gitlab.com/curben/blog#repository-mirrors
|
|||
|
||||
[Feodo Tracker](https://feodotracker.abuse.ch/): [CC0](https://creativecommons.org/publicdomain/zero/1.0/)
|
||||
|
||||
[IPsum Level 3](https://github.com/stamparm): [Unlicense](https://github.com/stamparm/ipsum/blob/master/LICENSE)
|
||||
|
||||
## Credits
|
||||
|
||||
[Binary Defense](https://www.binarydefense.com/)
|
||||
|
||||
[Proofpoint Emerging Threats](https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence)
|
||||
|
||||
[GreenSnow](https://greensnow.co/)
|
||||
|
||||
[Threatview.io](https://threatview.io/)
|
||||
|
||||
[Myip.ms](https://myip.ms/files/blacklist/general/latest_blacklist.txt)
|
||||
|
||||
[FireHOL](https://iplists.firehol.org/files/firehol_webclient.netset)
|
||||
|
||||
[banip](https://github.com/openwrt/packages/blob/master/net/banip/files/)
|
||||
|
||||
This repository is not endorsed by Abuse.ch.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
# GlobalSign GCC R6 AlphaSSL CA 2023
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFjDCCA3SgAwIBAgIQfx8skC6D0OO2+zvuR4tegDANBgkqhkiG9w0BAQsFADBM
|
||||
MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xv
|
||||
YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMzA3MTkwMzQzMjVaFw0y
|
||||
NjA3MTkwMDAwMDBaMFUxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
|
||||
IG52LXNhMSswKQYDVQQDEyJHbG9iYWxTaWduIEdDQyBSNiBBbHBoYVNTTCBDQSAy
|
||||
MDIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00Jvk5ADppO0rgDn
|
||||
j1M14XIb032Aas409JJFAb8cUjipFOth7ySLdaWLe3s63oSs5x3eWwzTpX4BFkzZ
|
||||
bxT1eoJSHfT2M0wZ5QOPcCIjsr+YB8TAvV2yJSyq+emRrN/FtgCSTaWXSJ5jipW8
|
||||
SJ/VAuXPMzuAP2yYpuPcjjQ5GyrssDXgu+FhtYxqyFP7BSvx9jQhh5QV5zhLycua
|
||||
n8n+J0Uw09WRQK6JGQ5HzDZQinkNel+fZZNRG1gE9Qeh+tHBplrkalB1g85qJkPO
|
||||
J7SoEvKsmDkajggk/sSq7NPyzFaa/VBGZiRRG+FkxCBniGD5618PQ4trcwHyMojS
|
||||
FObOHQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
|
||||
AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS9
|
||||
BbfzipM8c8t5+g+FEqF3lhiRdDAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/
|
||||
yGdToDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5n
|
||||
bG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1cmUu
|
||||
Z2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0MDYGA1UdHwQvMC0wK6Ap
|
||||
oCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5jcmwwIQYDVR0g
|
||||
BBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOCAgEA
|
||||
fMkkMo5g4mn1ft4d4xR2kHzYpDukhC1XYPwfSZN3A9nEBadjdKZMH7iuS1vF8uSc
|
||||
g26/30DRPen2fFRsr662ECyUCR4OfeiiGNdoQvcesM9Xpew3HLQP4qHg+s774hNL
|
||||
vGRD4aKSKwFqLMrcqCw6tEAfX99tFWsD4jzbC6k8tjSLzEl0fTUlfkJaWpvLVkpg
|
||||
9et8tD8d51bymCg5J6J6wcXpmsSGnksBobac1+nXmgB7jQC9edU8Z41FFo87BV3k
|
||||
CtrWWsdkQavObMsXUPl/AO8y/jOuAWz0wyvPnKom+o6W4vKDY6/6XPypNdebOJ6m
|
||||
jyaILp0quoQvhjx87BzENh5s57AIOyIGpS0sDEChVDPzLEfRsH2FJ8/W5woF0nvs
|
||||
BTqfYSCqblQbHeDDtCj7Mlf8JfqaMuqcbE4rMSyfeHyCdZQwnc/r9ujnth691AJh
|
||||
xyYeCM04metJIe7cB6d4dFm+Pd5ervY4x32r0uQ1Q0spy1VjNqUJjussYuXNyMmF
|
||||
HSuLQQ6PrePmH5lcSMQpYKzPoD/RiNVD/PK0O3vuO5vh3o7oKb1FfzoanDsFFTrw
|
||||
0aLOdRW/tmLPWVNVlAb8ad+B80YJsL4HXYnQG8wYAFb8LhwSDyT9v+C1C1lcIHE7
|
||||
nE0AAp9JSHxDYsma9pi4g0Phg3BgOm2euTRzw7R0SzU=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -59,51 +59,65 @@ mkdir "tmp/"
|
|||
cd "tmp/"
|
||||
|
||||
## Prepare datasets
|
||||
curl "https://feodotracker.abuse.ch/downloads/ipblocklist.csv" -o "feodo.csv"
|
||||
curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" -o "feodo.txt" || [ $? = 1 ]
|
||||
curl "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt" -o "ipsum-level3.txt" || [ $? = 1 ]
|
||||
curl "https://www.binarydefense.com/banlist.txt" -o "binarydefense.txt" || [ $? = 1 ]
|
||||
curl "https://rules.emergingthreats.net/blockrules/compromised-ips.txt" -o "et.txt" || [ $? = 1 ]
|
||||
curl "https://blocklist.greensnow.co/greensnow.txt" -o "greensnow.txt" || [ $? = 1 ]
|
||||
curl "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt" -o "threatview.txt" || [ $? = 1 ]
|
||||
# missing intermediate cert
|
||||
curl "https://myip.ms/files/blacklist/general/latest_blacklist.txt" --cacert "../src/globalsign-sub.pem" -o "myip.txt" || [ $? = 1 ]
|
||||
curl "https://iplists.firehol.org/files/firehol_webclient.netset" -o "firehol-web.txt" || [ $? = 1 ]
|
||||
|
||||
# ensure file exists
|
||||
touch "feodo.txt" "ipsum-level3.txt" "binarydefense.txt" "et.txt" "greensnow.txt" "threatview.txt" "myip.txt" "firehol-web.txt"
|
||||
|
||||
|
||||
## Parse IPs
|
||||
cat "feodo.csv" | \
|
||||
cat "feodo.txt" "ipsum-level3.txt" "binarydefense.txt" "et.txt" "greensnow.txt" "threatview.txt" "myip.txt" "firehol-web.txt" | \
|
||||
dos2unix | \
|
||||
# Remove comment
|
||||
sed "/^#/d" | \
|
||||
# dst_ip column
|
||||
cut -f 4 -d '"' | \
|
||||
# Remove header row
|
||||
tail -n +2 | \
|
||||
sort -u > "feodo-ip.txt"
|
||||
# Remove inline comment
|
||||
sed -r "s/\s.+//g" | \
|
||||
# Remove blank lines
|
||||
sed "/^$/d" | \
|
||||
# Wrap ipv6 in bracket
|
||||
sed -r "s/(.+:.+)/[\1]/" | \
|
||||
sort -u > "ip.txt"
|
||||
|
||||
## Merge malware domains and URLs
|
||||
CURRENT_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
COMMENT_UBO="! Title: Botnet IP Blocklist\n"
|
||||
COMMENT_UBO="! Title: Malicious IP Blocklist\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! Updated: $CURRENT_TIME\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! Expires: 1 day (update frequency)\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! Expires: 12 hours (update frequency)\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! Homepage: https://gitlab.com/malware-filter/botnet-filter\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! License: https://gitlab.com/malware-filter/botnet-filter#license\n"
|
||||
COMMENT_UBO="$COMMENT_UBO! Source: https://feodotracker.abuse.ch/blocklist/"
|
||||
COMMENT_UBO="$COMMENT_UBO! Source: feodotracker.abuse.ch, stamparm/ipsum, binarydefense, Proofpoint emergingthreats, greensnow, threatview, myip.ms, firehol"
|
||||
|
||||
mkdir "../public/"
|
||||
|
||||
# uBlock Origin
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed "1i $COMMENT_UBO" > "../public/botnet-filter.txt"
|
||||
|
||||
|
||||
# Adguard Home
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed -e "s/^/||/g" -e "s/$/^/g" | \
|
||||
sed "1i $COMMENT_UBO" | \
|
||||
sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../public/botnet-filter-agh.txt"
|
||||
|
||||
|
||||
# Adguard browser extension
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed -e "s/^/||/g" -e "s/$/\$all/g" | \
|
||||
sed "1i $COMMENT_UBO" | \
|
||||
sed "1s/Blocklist/Blocklist (AdGuard)/" > "../public/botnet-filter-ag.txt"
|
||||
|
||||
|
||||
# Vivaldi
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed -e "s/^/||/g" -e "s/$/\$document/g" | \
|
||||
sed "1i $COMMENT_UBO" | \
|
||||
sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../public/botnet-filter-vivaldi.txt"
|
||||
|
|
@ -115,13 +129,15 @@ COMMENT=$(printf "$COMMENT_UBO" | sed "s/^!/#/g" | awk '{printf "%s\\n", $0}' |
|
|||
|
||||
## dnscrypt-proxy blocklists
|
||||
# IP-based
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed -r "s/\[|\]//g" | \
|
||||
sed "1i $COMMENT" | \
|
||||
sed "1s/Blocklist/Blocklist (Dnscrypt-proxy)/" > "../public/botnet-filter-dnscrypt-blocked-ips.txt"
|
||||
|
||||
|
||||
## htaaccess
|
||||
cat "feodo-ip.txt" | \
|
||||
cat "ip.txt" | \
|
||||
sed -r "s/\[|\]//g" | \
|
||||
sed "s/^/deny from /g" | \
|
||||
sed "1i $COMMENT" | \
|
||||
sed "1s/Blocklist/Blocklist (htaccess)/" > "../public/botnet-filter-htaccess.txt"
|
||||
|
|
@ -136,32 +152,23 @@ rm "../public/botnet-filter-suricata.rules" \
|
|||
"../public/botnet-filter-splunk.csv"
|
||||
|
||||
SID="600000001"
|
||||
while read IP; do
|
||||
SR_RULE="alert ip \$HOME_NET any -> [$IP] any (msg:\"botnet-filter botnet IP detected\"; reference:url, feodotracker.abuse.ch/browse/host/$IP/; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
while read line; do
|
||||
IP=$(printf "$line" | sed -r 's/\[|\]/"/g')
|
||||
SR_RULE="alert ip \$HOME_NET any -> [$IP] any (msg:\"botnet-filter botnet IP detected\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
|
||||
IP=$(printf "$line" | sed -r 's/\[|\]//g')
|
||||
SP_RULE="\"$IP\",\"botnet-filter botnet IP detected\",\"$CURRENT_TIME\""
|
||||
|
||||
echo "$SR_RULE" >> "../public/botnet-filter-suricata.rules"
|
||||
echo "$SP_RULE" >> "../public/botnet-filter-splunk.csv"
|
||||
|
||||
SID=$(( $SID + 1 ))
|
||||
done < "feodo-ip.txt"
|
||||
done < "ip.txt"
|
||||
|
||||
|
||||
set -x
|
||||
|
||||
|
||||
# upstream may provide empty data
|
||||
if [ ! -s "feodo-ip.txt" ]; then
|
||||
printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter.txt"
|
||||
printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-agh.txt"
|
||||
printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-ag.txt"
|
||||
printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-vivaldi.txt"
|
||||
printf "$COMMENT\n# END 0 entries\n" > "../public/botnet-filter-dnscrypt-blocked-ips.txt"
|
||||
echo "# END 0 entries" > "../public/botnet-filter-suricata.rules"
|
||||
echo "# END 0 entries" > "../public/botnet-filter-splunk.csv"
|
||||
fi
|
||||
|
||||
sed -i "1i $COMMENT" "../public/botnet-filter-suricata.rules"
|
||||
sed -i "1s/Blocklist/Suricata Ruleset/" "../public/botnet-filter-suricata.rules"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue