From ccb7f29da68b6c35d023212fe5a005f0899c2dd4 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 25 Dec 2022 06:06:40 +0000
Subject: [PATCH] Initial commit
---
.github/workflows/pages.yml | 59 ++++++++
.gitignore | 4 +
.gitlab-ci.yml | 75 ++++++++++
LICENSE.md | 42 ++++++
README.md | 276 ++++++++++++++++++++++++++++++++++++
src/gitlab_status.sh | 11 ++
src/script.sh | 128 +++++++++++++++++
7 files changed, 595 insertions(+)
create mode 100644 .github/workflows/pages.yml
create mode 100644 .gitignore
create mode 100644 .gitlab-ci.yml
create mode 100644 LICENSE.md
create mode 100644 README.md
create mode 100644 src/gitlab_status.sh
create mode 100644 src/script.sh
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
new file mode 100644
index 0000000..b737757
--- /dev/null
+++ b/.github/workflows/pages.yml
@@ -0,0 +1,59 @@
+name: Pages
+
+on:
+ schedule:
+ - cron: "0 0,12 * * *"
+ workflow_dispatch:
+
+jobs:
+ pages:
+ runs-on: ubuntu-latest
+ container: alpine:latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install Dependencies
+ run: |
+ apk update
+ apk add brotli curl git grep
+ - name: Build
+ run: sh ./src/script.sh
+ - name: Compress
+ run: |
+ find public -type f -regex '.*\.\(txt\|conf\|tpl\|rules\|csv\)$' -exec gzip -f -k -9 {} \;
+ find public -type f -regex '.*\.\(txt\|conf\|tpl\|rules\|csv\)$' -exec brotli -f -k -9 {} \;
+ - name: Deploy
+ uses: peaceiris/actions-gh-pages@v3
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ publish_dir: ./public
+ force_orphan: true
+ - name: "Upload Public Folder"
+ uses: actions/upload-artifact@v2
+ with:
+ name: public
+ path: ./public
+ retention-days: 30
+ - name: "Upload Tmp Folder"
+ uses: actions/upload-artifact@v2
+ with:
+ name: tmp
+ path: ./tmp
+ retention-days: 30
+ - name: Check GitLab Status
+ env:
+ GITHUB_ENV: ${{ env.GITHUB_ENV }}
+ run: sh ./src/gitlab_status.sh
+ - name: Cloudflare Pages
+ env:
+ CLOUDFLARE_BUILD_HOOK: ${{ secrets.CLOUDFLARE_BUILD_HOOK }}
+ if: ${{ env.CLOUDFLARE_BUILD_HOOK != 0 && env.GITLAB_STATUS == 'down' }}
+ run: curl -X POST "https://api.cloudflare.com/client/v4/pages/webhooks/deploy_hooks/${{ env.CLOUDFLARE_BUILD_HOOK }}"
+ - name: Netlify
+ env:
+ NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+ NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+ if: ${{ env.NETLIFY_SITE_ID != 0 && env.GITLAB_STATUS == 'down' }}
+ run: |
+ npm install netlify-cli -g
+ netlify --telemetry-disable
+ netlify deploy --dir=public --prod
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4cae446
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+tmp/
+.vscode/
+public/
+node_modules/
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..3b7bcdf
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,75 @@
+image: alpine:latest
+
+include:
+ - template: Security/Secret-Detection.gitlab-ci.yml
+
+# Only run pipeline when scheduled or "Run pipeline" in the main branch
+workflow:
+ rules:
+ - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && ($CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "web")'
+
+build_job:
+ stage: build
+
+ before_script:
+ - apk update && apk add brotli curl grep
+
+ script:
+ - sh src/script.sh
+ - find public -type f -regex '.*\.\(txt\|conf\|tpl\|rules\|csv\)$' -exec gzip -f -k -9 {} \;
+ - find public -type f -regex '.*\.\(txt\|conf\|tpl\|rules\|csv\)$' -exec brotli -f -k -9 {} \;
+
+ artifacts:
+ paths:
+ - tmp
+ - public
+ expire_in: 1 week
+
+pages:
+ stage: deploy
+
+ dependencies:
+ - build_job
+
+ script:
+ - echo
+
+ artifacts:
+ paths:
+ - public
+ expire_in: 1 week
+
+ rules:
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+cloudflare:
+ stage: deploy
+
+ before_script:
+ - apk update && apk add curl
+
+ script:
+ - curl -X POST "https://api.cloudflare.com/client/v4/pages/webhooks/deploy_hooks/$CLOUDFLARE_BUILD_HOOK"
+
+ rules:
+ - if: $CLOUDFLARE_BUILD_HOOK
+
+netlify:
+ stage: deploy
+
+ dependencies:
+ - build_job
+
+ before_script:
+ - npm install netlify-cli -g
+ - netlify --telemetry-disable
+
+ script:
+ - netlify deploy --dir=public --prod
+
+ cache:
+ paths:
+ - node_modules/
+
+ rules:
+ - if: $NETLIFY_SITE_ID
diff --git a/LICENSE.md b/LICENSE.md
new file mode 100644
index 0000000..b81428e
--- /dev/null
+++ b/LICENSE.md
@@ -0,0 +1,42 @@
+CC0 1.0 Universal
+==================
+
+Statement of Purpose
+---------------------
+
+The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights.
+--------------------------------
+A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
+
+i. the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
+ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
+iv. rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
+v. rights protecting the extraction, dissemination, use and reuse of data in a Work;
+vi. database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
+vii. other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
+
+2. Waiver.
+-----------
+To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback.
+----------------------------
+Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+--------------------------------
+
+a. No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
+b. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
+c. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
+d. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.
+
+For more information, please see
+https://creativecommons.org/publicdomain/zero/1.0/
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..1d54fa8
--- /dev/null
+++ b/README.md
@@ -0,0 +1,276 @@
+# Botnet IP Blocklist
+
+- Formats
+ - [IP-based](#ip-based)
+ - [Domain-based (AdGuard Home)](#domain-based-adguard-home)
+ - [IP-based (AdGuard)](#ip-based-adguard)
+ - [IP-based (Vivaldi)](#ip-based-vivaldi)
+ - [dnscrypt-proxy](#dnscrypt-proxy)
+ - [Snort2](#)
+ - [Snort3](#snort3)
+ - [Suricata](#suricata)
+ - [Splunk](#splunk)
+- [Compressed version](#compressed-version)
+- [Reporting issues](#issues)
+- [FAQ and Guides](#faq-and-guides)
+- [CI Variables](#ci-variables)
+- [License](#license)
+
+A blocklist of botnet IPs, based on the **Botnet C2 IOCs** of Abuse.ch [Feodo Tracker](https://feodotracker.abuse.ch/blocklist/#iocs), including online and offline entries. Blocklist is updated twice a day.
+
+This blocklist is only useful as a last line of defence _after_ being infected. To avoid infection in the first place, consider using [urlhaus-filter](https://gitlab.com/malware-filter/urlhaus-filter).
+
+There are multiple formats available, refer to the appropriate section according to the program used:
+
+- uBlock Origin (uBO) -> [IP-based](#ip-based) section (recommended)
+- Pi-hole -> [Domain-based](#domain-based) or [Hosts-based](#hosts-based) section
+- AdGuard Home -> [Domain-based (AdGuard Home)](#domain-based-adguard-home)
+- AdGuard browser extension -> [IP-based (AdGuard)](#ip-based-adguard)
+- Vivaldi -> [IP-based (Vivaldi)](#ip-based-vivaldi)
+- [dnscrypt-proxy](#dnscrypt-proxy)
+- [Snort2](#snort2)
+- [Snort3](#snort3)
+- [Suricata](#suricata)
+- [Splunk](#splunk)
+
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
+
+Check out my other filters:
+
+- [urlhaus-filter](https://gitlab.com/malware-filter/urlhaus-filter)
+- [phishing-filter](https://gitlab.com/malware-filter/phishing-filter)
+- [pup-filter](https://gitlab.com/malware-filter/pup-filter)
+- [tracking-filter](https://gitlab.com/malware-filter/tracking-filter)
+- [vn-badsite-filter](https://gitlab.com/malware-filter/vn-badsite-filter)
+
+## IP-based
+
+I highly recommend to use the upstream version (update every 5 minutes): [online+offline](https://feodotracker.abuse.ch/downloads/ipblocklist.txt) or [online only](https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt).
+
+Import the following URL into uBO to subscribe:
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter.txt
+- https://curbengh.github.io/botnet-filter/botnet-filter.txt
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter.txt
+- https://malware-filter.pages.dev/botnet-filter.txt
+- https://botnet-filter.pages.dev/botnet-filter.txt
+
+
+
+## IP-based (AdGuard)
+
+Import the following URL into AdGuard browser extension to subscribe:
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-ag.txt
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-ag.txt
+- https://curbengh.github.io/botnet-filter/botnet-filter-ag.txt
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-ag.txt
+- https://malware-filter.pages.dev/botnet-filter-ag.txt
+- https://botnet-filter.pages.dev/botnet-filter-ag.txt
+
+
+
+## IP-based (Vivaldi)
+
+_Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"_
+
+Import the following URL into Vivaldi's **Tracker Blocking Sources** to subscribe:
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-vivaldi.txt
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-vivaldi.txt
+- https://curbengh.github.io/botnet-filter/botnet-filter-vivaldi.txt
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-vivaldi.txt
+- https://malware-filter.pages.dev/botnet-filter-vivaldi.txt
+- https://botnet-filter.pages.dev/botnet-filter-vivaldi.txt
+
+
+
+## Domain-based (AdGuard Home)
+
+This AdGuard Home-compatible blocklist includes domains and IP addresses.
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-agh.txt
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-agh.txt
+- https://curbengh.github.io/botnet-filter/botnet-filter-agh.txt
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-agh.txt
+- https://malware-filter.pages.dev/botnet-filter-agh.txt
+- https://botnet-filter.pages.dev/botnet-filter-agh.txt
+
+
+
+## dnscrypt-proxy
+
+Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update.
+
+Configure dnscrypt-proxy to use the blocklist:
+
+```diff
+[blocked_ips]
++ blocked_ips_file = '/etc/dnscrypt-proxy/botnet-filter-dnscrypt-blocked-ips.txt'
+```
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-dnscrypt-blocked-ips.txt
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-dnscrypt-blocked-ips.txt
+- https://curbengh.github.io/botnet-filter/botnet-filter-dnscrypt-blocked-ips.txt
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-dnscrypt-blocked-ips.txt
+- https://malware-filter.pages.dev/botnet-filter-dnscrypt-blocked-ips.txt
+- https://botnet-filter.pages.dev/botnet-filter-dnscrypt-blocked-ips.txt
+
+
+
+## Snort2
+
+I highly recommend to use the [upstream version](https://feodotracker.abuse.ch/blocklist/#ip-ids) which is updated every 5 minutes.
+
+Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
+
+Configure Snort to use the ruleset:
+
+`printf "\ninclude \$RULE_PATH/botnet-filter-suricata.rules\n" >> /etc/snort/snort.conf`
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-suricata.rules
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-suricata.rules
+- https://curbengh.github.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.pages.dev/botnet-filter-suricata.rules
+- https://botnet-filter.pages.dev/botnet-filter-suricata.rules
+
+
+
+## Snort3
+
+I highly recommend to use the [upstream version](https://feodotracker.abuse.ch/blocklist/#ip-ids) which is updated every 5 minutes.
+
+Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
+
+Configure Snort to use the ruleset:
+
+```diff
+# /etc/snort/snort.lua
+ips =
+{
+ variables = default_variables,
++ include = 'rules/botnet-filter-suricata.rules'
+}
+```
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-suricata.rules
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-suricata.rules
+- https://curbengh.github.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.pages.dev/botnet-filter-suricata.rules
+- https://botnet-filter.pages.dev/botnet-filter-suricata.rules
+
+
+
+## Suricata
+
+I highly recommend to use the [upstream version](https://feodotracker.abuse.ch/blocklist/#ip-ids) which is updated every 5 minutes.
+
+Save the ruleset to "/etc/suricata/rules/botnet-filter-suricata.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
+
+Configure Suricata to use the ruleset:
+
+```diff
+# /etc/suricata/suricata.yaml
+rule-files:
+ - local.rules
++ - botnet-filter-suricata.rules
+```
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-suricata.rules
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-suricata.rules
+- https://curbengh.github.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-suricata.rules
+- https://malware-filter.pages.dev/botnet-filter-suricata.rules
+- https://botnet-filter.pages.dev/botnet-filter-suricata.rules
+
+
+
+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
+
+Either upload the file via GUI or save the file in `$SPLUNK_HOME/Splunk/etc/system/lookups` or app-specific `$SPLUNK_HOME/etc/YourApp/apps/search/lookups`. Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) or [Getwatchlist](https://splunkbase.splunk.com/app/635) app for auto-update.
+
+Columns:
+
+| ip | message | updated |
+| ------- | -------------------------------- | -------------------- |
+| 1.2.3.4 | botnet-filter botnet IP detected | 2022-12-21T12:34:56Z |
+
+- https://malware-filter.gitlab.io/malware-filter/botnet-filter-splunk.csv
+
+
+Mirrors
+
+- https://curbengh.github.io/malware-filter/botnet-filter-splunk.csv
+- https://curbengh.github.io/botnet-filter/botnet-filter-splunk.csv
+- https://malware-filter.gitlab.io/botnet-filter/botnet-filter-splunk.csv
+- https://malware-filter.pages.dev/botnet-filter-splunk.csv
+- https://botnet-filter.pages.dev/botnet-filter-splunk.csv
+
+
+
+## Compressed version
+
+All filters are also available as gzip- and brotli-compressed.
+
+- Gzip: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.gz
+- Brotli: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.br
+
+## Issues
+
+This blocklist **only** accepts new malicious IPs from [Feodo Tracker](https://feodotracker.abuse.ch/).
+
+## FAQ and Guides
+
+See [wiki](https://gitlab.com/malware-filter/malware-filter/-/wikis/home)
+
+## CI Variables
+
+Optional variables:
+
+- `CLOUDFLARE_BUILD_HOOK`: Deploy to Cloudflare Pages.
+- `NETLIFY_SITE_ID`: Deploy to Netlify.
+
+## License
+
+[Creative Commons Zero v1.0 Universal](LICENSE.md)
+
+[Feodo Tracker](https://feodotracker.abuse.ch/): [CC0](https://creativecommons.org/publicdomain/zero/1.0/)
+
+This repository is not endorsed by Abuse.ch.
diff --git a/src/gitlab_status.sh b/src/gitlab_status.sh
new file mode 100644
index 0000000..fc2d566
--- /dev/null
+++ b/src/gitlab_status.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+ARTIFACT_STATUS=$(curl -sSIL "https://gitlab.com/malware-filter/botnet-filter/-/jobs/artifacts/main/download?job=pages" | grep -F "HTTP/2 200")
+PIPELINE_STATUS=$(curl -sSL "https://gitlab.com/malware-filter/botnet-filter/badges/main/pipeline.svg" | grep -F "failed")
+GITLAB_STATUS="up"
+
+if [ -z "$ARTIFACT_STATUS" ] || [ -n "$PIPELINE_STATUS" ]; then
+ GITLAB_STATUS="down"
+fi
+
+echo "GITLAB_STATUS=$GITLAB_STATUS" >> "$GITHUB_ENV"
diff --git a/src/script.sh b/src/script.sh
new file mode 100644
index 0000000..50a1193
--- /dev/null
+++ b/src/script.sh
@@ -0,0 +1,128 @@
+#!/bin/sh
+
+# works best on busybox ash
+
+set -efux -o pipefail
+
+alias curl="curl -L"
+alias mkdir="mkdir -p"
+alias rm="rm -rf"
+
+## Use GNU grep, busybox grep is too slow
+. "/etc/os-release"
+DISTRO="$ID"
+
+if [ -z "$(grep --help | grep 'GNU')" ]; then
+ if [ "$DISTRO" = "alpine" ]; then
+ echo "Please install GNU grep 'apk add grep'"
+ exit 1
+ fi
+ alias grep="/usr/bin/grep"
+fi
+
+
+## Fallback to busybox dos2unix
+if ! command -v dos2unix &> /dev/null; then
+ alias dos2unix="busybox dos2unix"
+fi
+
+
+## Create a temporary working folder
+mkdir "tmp/"
+cd "tmp/"
+
+## Prepare datasets
+# curl "https://feodotracker.abuse.ch/downloads/ipblocklist.csv" -o "feodo.csv"
+
+## Parse IPs
+cat "feodo.csv" | \
+dos2unix | \
+# Remove comment
+sed "/^#/d" | \
+# dst_ip column
+cut -f 4 -d '"' | \
+# Remove header row
+tail -n +2 | \
+sort -u > "feodo-ip.txt"
+
+## Merge malware domains and URLs
+CURRENT_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+COMMENT_UBO="! Title: Botnet IP Blocklist\n"
+COMMENT_UBO="$COMMENT_UBO! Updated: $CURRENT_TIME\n"
+COMMENT_UBO="$COMMENT_UBO! Expires: 1 day (update frequency)\n"
+COMMENT_UBO="$COMMENT_UBO! Homepage: https://gitlab.com/malware-filter/botnet-filter\m"
+COMMENT_UBO="$COMMENT_UBO! License: https://gitlab.com/malware-filter/botnet-filter#license\n"
+COMMENT_UBO="$COMMENT_UBO! Source: https://feodotracker.abuse.ch/blocklist/"
+
+mkdir "../public/"
+
+# uBlock Origin
+cat "feodo-ip.txt" | \
+sed "1i $COMMENT_UBO" > "../public/botnet-filter.txt"
+
+
+# Adguard Home
+cat "feodo-ip.txt" | \
+sed -e "s/^/||/g" -e "s/$/^/g" | \
+sed "1i $COMMENT_UBO" | \
+sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../public/botnet-filter-agh.txt"
+
+
+# Adguard browser extension
+cat "feodo-ip.txt" | \
+sed -e "s/^/||/g" -e "s/$/\$all/g" | \
+sed "1i $COMMENT_UBO" | \
+sed "1s/Blocklist/Blocklist (AdGuard)/" > "../public/botnet-filter-ag.txt"
+
+
+# Vivaldi
+cat "feodo-ip.txt" | \
+sed -e "s/^/||/g" -e "s/$/\$document/g" | \
+sed "1i $COMMENT_UBO" | \
+sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../public/botnet-filter-vivaldi.txt"
+
+
+## Hash comment
+# awk + head is a workaround for sed prepend
+COMMENT=$(printf "$COMMENT_UBO" | sed "s/^!/#/g" | awk '{printf "%s\\n", $0}' | head -c -2)
+
+
+## dnscrypt-proxy blocklists
+# name-based
+cat "feodo-ip.txt" | \
+sed "1i $COMMENT" | \
+sed "1s/Domains/IPs/" > "../public/botnet-filter-dnscrypt-blocked-ips.txt"
+
+
+## Temporarily disable command print
+set +x
+
+
+## Snort & Suricata rulesets
+rm "../public/botnet-filter-suricata.rules" \
+ "../public/botnet-filter-splunk.csv"
+
+SID="600000001"
+while read IP; do
+ SR_RULE="alert ip \$HOME_NET any -> [$IP] any (msg:\"botnet-filter botnet IP detected\"; reference:url, feodotracker.abuse.ch/browse/host/$IP/; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+ SP_RULE="\"$IP\",\"botnet-filter botnet IP detected\",\"$CURRENT_TIME\""
+
+ echo "$SR_RULE" >> "../public/botnet-filter-suricata.rules"
+ echo "$SP_RULE" >> "../public/botnet-filter-splunk.csv"
+
+ SID=$(( $SID + 1 ))
+done < "feodo-ip.txt"
+
+
+set -x
+
+
+sed -i "1i $COMMENT" "../public/botnet-filter-suricata.rules"
+sed -i "1s/Blocklist/Suricata Ruleset/" "../public/botnet-filter-suricata.rules"
+
+sed -i -e "1i $COMMENT" -e '1i "ip","message","updated"' "../public/botnet-filter-splunk.csv"
+sed -i "1s/Blocklist/Splunk Lookup/" "../public/botnet-filter-splunk.csv"
+
+
+cd ../