botnet-filter/README.md

10 KiB

Botnet IP Blocklist

A blocklist of botnet IPs, based on the Botnet C2 IOCs of Abuse.ch Feodo Tracker, including online and offline entries. Blocklist is updated twice a day.

This blocklist is only useful as a last line of defence after being infected. To avoid infection in the first place, consider using urlhaus-filter.

There are multiple formats available, refer to the appropriate section according to the program used:

For other programs, see Compatibility page in the wiki.

Check out my other filters:

IP-based

I highly recommend to use the upstream version (update every 5 minutes): online+offline or online only.

Import the following URL into uBO to subscribe:

Mirrors

IP-based (AdGuard)

Import the following URL into AdGuard browser extension to subscribe:

Mirrors

IP-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:

Mirrors

Domain-based (AdGuard Home)

This AdGuard Home-compatible blocklist includes domains and IP addresses.

Mirrors

dnscrypt-proxy

Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.

Configure dnscrypt-proxy to use the blocklist:

[blocked_ips]
+  blocked_ips_file = '/etc/dnscrypt-proxy/botnet-filter-dnscrypt-blocked-ips.txt'
Mirrors

Snort2

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

printf "\ninclude \$RULE_PATH/botnet-filter-suricata.rules\n" >> /etc/snort/snort.conf

Mirrors

Snort3

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/botnet-filter-suricata.rules'
}
Mirrors

Suricata

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/suricata/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - botnet-filter-suricata.rules
Mirrors

Splunk

A CSV file for Splunk lookup.

Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups. Refer to this guide or Getwatchlist app for auto-update.

Columns:

ip message updated
1.2.3.4 botnet-filter botnet IP detected 2022-12-21T12:34:56Z
Mirrors

Compressed version

All filters are also available as gzip- and brotli-compressed.

Issues

This blocklist only accepts new malicious IPs from Feodo Tracker.

FAQ and Guides

See wiki

CI Variables

Optional variables:

  • CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.
  • NETLIFY_SITE_ID: Deploy to Netlify.

License

Creative Commons Zero v1.0 Universal

Feodo Tracker: CC0

This repository is not endorsed by Abuse.ch.