11 KiB
Botnet IP Blocklist
A blocklist of botnet IPs, based on the Botnet C2 IOCs of Abuse.ch Feodo Tracker, including online and offline entries. Blocklist is updated twice a day.
This blocklist is only useful as a last line of defence after being infected. To avoid infection in the first place, consider using urlhaus-filter.
| Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
|---|---|---|---|---|---|---|
| uBlock Origin, IP-based | link | link | link | link | link | link |
| AdGuard Home | link | link | link | link | link | link |
| AdGuard (browser extension) | link | link | link | link | link | link |
| Vivaldi | link | link | link | link | link | link |
| dnscrypt-proxy | link | link | link | link | link | link |
| Snort2, Snort3, Suricata | link | link | link | link | link | link |
| Splunk | link | link | link | link | link | link |
For other programs, see Compatibility page in the wiki.
Check out my other filters:
IP-based
I highly recommend to use the upstream version (update every 5 minutes): online+offline or online only.
Import the link into uBO's filter list to subscribe.
IP-based (AdGuard)
Import the link into AdGuard browser extension to subscribe.
IP-based (Vivaldi)
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the link into Vivaldi's Tracker Blocking Sources to subscribe.
Domain-based (AdGuard Home)
dnscrypt-proxy
Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.
Configure dnscrypt-proxy to use the blocklist:
[blocked_ips]
+ blocked_ips_file = '/etc/dnscrypt-proxy/botnet-filter-dnscrypt-blocked-ips.txt'
Snort2
I highly recommend to use the upstream version which is updated every 5 minutes.
Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
Configure Snort to use the ruleset:
printf "\ninclude \$RULE_PATH/botnet-filter-suricata.rules\n" >> /etc/snort/snort.conf
Snort3
I highly recommend to use the upstream version which is updated every 5 minutes.
Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/botnet-filter-suricata.rules'
}
Suricata
I highly recommend to use the upstream version which is updated every 5 minutes.
Save the ruleset to "/etc/suricata/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - botnet-filter-suricata.rules
Splunk
A CSV file for Splunk lookup.
Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups.
Or use malware-filter add-on to install this lookup and optionally auto-update it.
Columns:
| ip | message | updated |
|---|---|---|
| 1.2.3.4 | botnet-filter botnet IP detected | 2022-12-21T12:34:56Z |
Compressed version
All filters are also available as gzip- and brotli-compressed.
- Gzip: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.gz
- Brotli: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.br
Issues
This blocklist only accepts new malicious IPs from Feodo Tracker.
FAQ and Guides
See wiki
CI Variables
Optional variables:
CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.NETLIFY_SITE_ID: Deploy to Netlify.
Repository Mirrors
https://gitlab.com/curben/blog#repository-mirrors
License
Creative Commons Zero v1.0 Universal and MIT License
This repository is not endorsed by Abuse.ch.