botnet-filter/README.md

11 KiB

Botnet IP Blocklist

A blocklist of botnet IPs, based on the Botnet C2 IOCs of Abuse.ch Feodo Tracker, including online and offline entries. Blocklist is updated twice a day.

This blocklist is only useful as a last line of defence after being infected. To avoid infection in the first place, consider using urlhaus-filter.

Client mirror 1 mirror 2 mirror 3 mirror 4 mirror 5 mirror 6
uBlock Origin, IP-based link link link link link link
AdGuard Home link link link link link link
AdGuard (browser extension) link link link link link link
Vivaldi link link link link link link
dnscrypt-proxy link link link link link link
Snort2, Snort3, Suricata link link link link link link
Splunk link link link link link link

For other programs, see Compatibility page in the wiki.

Check out my other filters:

IP-based

I highly recommend to use the upstream version (update every 5 minutes): online+offline or online only.

Import the link into uBO's filter list to subscribe.

IP-based (AdGuard)

Import the link into AdGuard browser extension to subscribe.

IP-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the link into Vivaldi's Tracker Blocking Sources to subscribe.

Domain-based (AdGuard Home)

dnscrypt-proxy

Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.

Configure dnscrypt-proxy to use the blocklist:

[blocked_ips]
+  blocked_ips_file = '/etc/dnscrypt-proxy/botnet-filter-dnscrypt-blocked-ips.txt'

Snort2

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

printf "\ninclude \$RULE_PATH/botnet-filter-suricata.rules\n" >> /etc/snort/snort.conf

Snort3

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/botnet-filter-suricata.rules'
}

Suricata

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/suricata/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - botnet-filter-suricata.rules

Splunk

A CSV file for Splunk lookup.

Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups.

Or use malware-filter add-on to install this lookup and optionally auto-update it.

Columns:

ip message updated
1.2.3.4 botnet-filter botnet IP detected 2022-12-21T12:34:56Z

Compressed version

All filters are also available as gzip- and brotli-compressed.

Issues

This blocklist only accepts new malicious IPs from Feodo Tracker.

FAQ and Guides

See wiki

CI Variables

Optional variables:

  • CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.
  • NETLIFY_SITE_ID: Deploy to Netlify.

Repository Mirrors

https://gitlab.com/curben/blog#repository-mirrors

License

Creative Commons Zero v1.0 Universal and MIT License

Feodo Tracker: CC0

This repository is not endorsed by Abuse.ch.