diff --git a/README.md b/README.md index 0a1c084..a6303e0 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,17 @@ - [CI Variables](#ci-variables) - [License](#license) -A blocklist of botnet IPs, based on the **Botnet C2 IOCs** of Abuse.ch [Feodo Tracker](https://feodotracker.abuse.ch/blocklist/#iocs), including online and offline entries. Blocklist is updated twice a day. +A blocklist of malicious IPs compiled from these sources (discovered through [banip](https://github.com/openwrt/packages/blob/master/net/banip/files/banip.feeds)): + - [Feodo Tracker](https://feodotracker.abuse.ch/downloads/ipblocklist.txt) + - [IPsum Level 3](https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt) + - [Binary Defense](https://www.binarydefense.com/banlist.txt) + - [Proofpoint Emerging Threats](https://rules.emergingthreats.net/blockrules/compromised-ips.txt) + - [GreenSnow](https://blocklist.greensnow.co/greensnow.txt) + - [Threatview.io](https://threatview.io/Downloads/IP-High-Confidence-Feed.txt) + - [Myip.ms](https://myip.ms/files/blacklist/general/latest_blacklist.txt) + - [FireHOL](https://iplists.firehol.org/files/firehol_webclient.netset) -This blocklist is only useful as a last line of defence _after_ being infected. To avoid infection in the first place, consider using [urlhaus-filter](https://gitlab.com/malware-filter/urlhaus-filter). +Blocklist is updated twice a day. | Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 | | --- | --- | --- | --- | --- | --- | --- | @@ -165,4 +173,22 @@ https://gitlab.com/curben/blog#repository-mirrors [Feodo Tracker](https://feodotracker.abuse.ch/): [CC0](https://creativecommons.org/publicdomain/zero/1.0/) +[IPsum Level 3](https://github.com/stamparm): [Unlicense](https://github.com/stamparm/ipsum/blob/master/LICENSE) + +## Credits + +[Binary Defense](https://www.binarydefense.com/) + +[Proofpoint Emerging Threats](https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence) + +[GreenSnow](https://greensnow.co/) + +[Threatview.io](https://threatview.io/) + +[Myip.ms](https://myip.ms/files/blacklist/general/latest_blacklist.txt) + +[FireHOL](https://iplists.firehol.org/files/firehol_webclient.netset) + +[banip](https://github.com/openwrt/packages/blob/master/net/banip/files/) + This repository is not endorsed by Abuse.ch. diff --git a/src/globalsign-sub.pem b/src/globalsign-sub.pem new file mode 100644 index 0000000..9af62a6 --- /dev/null +++ b/src/globalsign-sub.pem @@ -0,0 +1,33 @@ +# GlobalSign GCC R6 AlphaSSL CA 2023 +-----BEGIN CERTIFICATE----- +MIIFjDCCA3SgAwIBAgIQfx8skC6D0OO2+zvuR4tegDANBgkqhkiG9w0BAQsFADBM +MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xv +YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMzA3MTkwMzQzMjVaFw0y +NjA3MTkwMDAwMDBaMFUxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu +IG52LXNhMSswKQYDVQQDEyJHbG9iYWxTaWduIEdDQyBSNiBBbHBoYVNTTCBDQSAy +MDIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00Jvk5ADppO0rgDn +j1M14XIb032Aas409JJFAb8cUjipFOth7ySLdaWLe3s63oSs5x3eWwzTpX4BFkzZ +bxT1eoJSHfT2M0wZ5QOPcCIjsr+YB8TAvV2yJSyq+emRrN/FtgCSTaWXSJ5jipW8 +SJ/VAuXPMzuAP2yYpuPcjjQ5GyrssDXgu+FhtYxqyFP7BSvx9jQhh5QV5zhLycua +n8n+J0Uw09WRQK6JGQ5HzDZQinkNel+fZZNRG1gE9Qeh+tHBplrkalB1g85qJkPO +J7SoEvKsmDkajggk/sSq7NPyzFaa/VBGZiRRG+FkxCBniGD5618PQ4trcwHyMojS +FObOHQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG +AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS9 +BbfzipM8c8t5+g+FEqF3lhiRdDAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/ +yGdToDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5n +bG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1cmUu +Z2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0MDYGA1UdHwQvMC0wK6Ap +oCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5jcmwwIQYDVR0g +BBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOCAgEA +fMkkMo5g4mn1ft4d4xR2kHzYpDukhC1XYPwfSZN3A9nEBadjdKZMH7iuS1vF8uSc +g26/30DRPen2fFRsr662ECyUCR4OfeiiGNdoQvcesM9Xpew3HLQP4qHg+s774hNL +vGRD4aKSKwFqLMrcqCw6tEAfX99tFWsD4jzbC6k8tjSLzEl0fTUlfkJaWpvLVkpg +9et8tD8d51bymCg5J6J6wcXpmsSGnksBobac1+nXmgB7jQC9edU8Z41FFo87BV3k +CtrWWsdkQavObMsXUPl/AO8y/jOuAWz0wyvPnKom+o6W4vKDY6/6XPypNdebOJ6m +jyaILp0quoQvhjx87BzENh5s57AIOyIGpS0sDEChVDPzLEfRsH2FJ8/W5woF0nvs +BTqfYSCqblQbHeDDtCj7Mlf8JfqaMuqcbE4rMSyfeHyCdZQwnc/r9ujnth691AJh +xyYeCM04metJIe7cB6d4dFm+Pd5ervY4x32r0uQ1Q0spy1VjNqUJjussYuXNyMmF +HSuLQQ6PrePmH5lcSMQpYKzPoD/RiNVD/PK0O3vuO5vh3o7oKb1FfzoanDsFFTrw +0aLOdRW/tmLPWVNVlAb8ad+B80YJsL4HXYnQG8wYAFb8LhwSDyT9v+C1C1lcIHE7 +nE0AAp9JSHxDYsma9pi4g0Phg3BgOm2euTRzw7R0SzU= +-----END CERTIFICATE----- diff --git a/src/script.sh b/src/script.sh index 37a7d96..6791dff 100644 --- a/src/script.sh +++ b/src/script.sh @@ -59,51 +59,65 @@ mkdir "tmp/" cd "tmp/" ## Prepare datasets -curl "https://feodotracker.abuse.ch/downloads/ipblocklist.csv" -o "feodo.csv" +curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" -o "feodo.txt" || [ $? = 1 ] +curl "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt" -o "ipsum-level3.txt" || [ $? = 1 ] +curl "https://www.binarydefense.com/banlist.txt" -o "binarydefense.txt" || [ $? = 1 ] +curl "https://rules.emergingthreats.net/blockrules/compromised-ips.txt" -o "et.txt" || [ $? = 1 ] +curl "https://blocklist.greensnow.co/greensnow.txt" -o "greensnow.txt" || [ $? = 1 ] +curl "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt" -o "threatview.txt" || [ $? = 1 ] +# missing intermediate cert +curl "https://myip.ms/files/blacklist/general/latest_blacklist.txt" --cacert "../src/globalsign-sub.pem" -o "myip.txt" || [ $? = 1 ] +curl "https://iplists.firehol.org/files/firehol_webclient.netset" -o "firehol-web.txt" || [ $? = 1 ] + +# ensure file exists +touch "feodo.txt" "ipsum-level3.txt" "binarydefense.txt" "et.txt" "greensnow.txt" "threatview.txt" "myip.txt" "firehol-web.txt" + ## Parse IPs -cat "feodo.csv" | \ +cat "feodo.txt" "ipsum-level3.txt" "binarydefense.txt" "et.txt" "greensnow.txt" "threatview.txt" "myip.txt" "firehol-web.txt" | \ dos2unix | \ # Remove comment sed "/^#/d" | \ -# dst_ip column -cut -f 4 -d '"' | \ -# Remove header row -tail -n +2 | \ -sort -u > "feodo-ip.txt" +# Remove inline comment +sed -r "s/\s.+//g" | \ +# Remove blank lines +sed "/^$/d" | \ +# Wrap ipv6 in bracket +sed -r "s/(.+:.+)/[\1]/" | \ +sort -u > "ip.txt" ## Merge malware domains and URLs CURRENT_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") -COMMENT_UBO="! Title: Botnet IP Blocklist\n" +COMMENT_UBO="! Title: Malicious IP Blocklist\n" COMMENT_UBO="$COMMENT_UBO! Updated: $CURRENT_TIME\n" -COMMENT_UBO="$COMMENT_UBO! Expires: 1 day (update frequency)\n" +COMMENT_UBO="$COMMENT_UBO! Expires: 12 hours (update frequency)\n" COMMENT_UBO="$COMMENT_UBO! Homepage: https://gitlab.com/malware-filter/botnet-filter\n" COMMENT_UBO="$COMMENT_UBO! License: https://gitlab.com/malware-filter/botnet-filter#license\n" -COMMENT_UBO="$COMMENT_UBO! Source: https://feodotracker.abuse.ch/blocklist/" +COMMENT_UBO="$COMMENT_UBO! Source: feodotracker.abuse.ch, stamparm/ipsum, binarydefense, Proofpoint emergingthreats, greensnow, threatview, myip.ms, firehol" mkdir "../public/" # uBlock Origin -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ sed "1i $COMMENT_UBO" > "../public/botnet-filter.txt" # Adguard Home -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ sed -e "s/^/||/g" -e "s/$/^/g" | \ sed "1i $COMMENT_UBO" | \ sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../public/botnet-filter-agh.txt" # Adguard browser extension -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ sed -e "s/^/||/g" -e "s/$/\$all/g" | \ sed "1i $COMMENT_UBO" | \ sed "1s/Blocklist/Blocklist (AdGuard)/" > "../public/botnet-filter-ag.txt" # Vivaldi -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ sed -e "s/^/||/g" -e "s/$/\$document/g" | \ sed "1i $COMMENT_UBO" | \ sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../public/botnet-filter-vivaldi.txt" @@ -115,13 +129,15 @@ COMMENT=$(printf "$COMMENT_UBO" | sed "s/^!/#/g" | awk '{printf "%s\\n", $0}' | ## dnscrypt-proxy blocklists # IP-based -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ +sed -r "s/\[|\]//g" | \ sed "1i $COMMENT" | \ sed "1s/Blocklist/Blocklist (Dnscrypt-proxy)/" > "../public/botnet-filter-dnscrypt-blocked-ips.txt" ## htaaccess -cat "feodo-ip.txt" | \ +cat "ip.txt" | \ +sed -r "s/\[|\]//g" | \ sed "s/^/deny from /g" | \ sed "1i $COMMENT" | \ sed "1s/Blocklist/Blocklist (htaccess)/" > "../public/botnet-filter-htaccess.txt" @@ -136,32 +152,23 @@ rm "../public/botnet-filter-suricata.rules" \ "../public/botnet-filter-splunk.csv" SID="600000001" -while read IP; do - SR_RULE="alert ip \$HOME_NET any -> [$IP] any (msg:\"botnet-filter botnet IP detected\"; reference:url, feodotracker.abuse.ch/browse/host/$IP/; classtype:trojan-activity; sid:$SID; rev:1;)" +while read line; do + IP=$(printf "$line" | sed -r 's/\[|\]/"/g') + SR_RULE="alert ip \$HOME_NET any -> [$IP] any (msg:\"botnet-filter botnet IP detected\"; classtype:trojan-activity; sid:$SID; rev:1;)" + IP=$(printf "$line" | sed -r 's/\[|\]//g') SP_RULE="\"$IP\",\"botnet-filter botnet IP detected\",\"$CURRENT_TIME\"" echo "$SR_RULE" >> "../public/botnet-filter-suricata.rules" echo "$SP_RULE" >> "../public/botnet-filter-splunk.csv" SID=$(( $SID + 1 )) -done < "feodo-ip.txt" +done < "ip.txt" set -x -# upstream may provide empty data -if [ ! -s "feodo-ip.txt" ]; then - printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter.txt" - printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-agh.txt" - printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-ag.txt" - printf "$COMMENT_UBO\n! END 0 entries\n" > "../public/botnet-filter-vivaldi.txt" - printf "$COMMENT\n# END 0 entries\n" > "../public/botnet-filter-dnscrypt-blocked-ips.txt" - echo "# END 0 entries" > "../public/botnet-filter-suricata.rules" - echo "# END 0 entries" > "../public/botnet-filter-splunk.csv" -fi - sed -i "1i $COMMENT" "../public/botnet-filter-suricata.rules" sed -i "1s/Blocklist/Suricata Ruleset/" "../public/botnet-filter-suricata.rules"