Botnet IP Blocklist

• Formats
  • IP-based
  • Domain-based (AdGuard Home)
  • IP-based (AdGuard)
  • IP-based (Vivaldi)
  • dnscrypt-proxy
  • Snort2
  • Snort3
  • Suricata
  • Splunk
• Compressed version
• Reporting issues
• FAQ and Guides
• CI Variables
• License

A blocklist of botnet IPs, based on the Botnet C2 IOCs of Abuse.ch Feodo Tracker, including online and offline entries. Blocklist is updated twice a day.

This blocklist is only useful as a last line of defence after being infected. To avoid infection in the first place, consider using urlhaus-filter.

Client	mirror 1	mirror 2	mirror 3	mirror 4	mirror 5	mirror 6
uBlock Origin, IP-based	link	link	link	link	link	link
AdGuard Home	link	link	link	link	link	link
AdGuard (browser extension)	link	link	link	link	link	link
Vivaldi	link	link	link	link	link	link
dnscrypt-proxy	link	link	link	link	link	link
Snort2, Snort3, Suricata	link	link	link	link	link	link
Splunk	link	link	link	link	link	link

For other programs, see Compatibility page in the wiki.

Check out my other filters:

• urlhaus-filter
• phishing-filter
• pup-filter
• tracking-filter
• vn-badsite-filter

IP-based

I highly recommend to use the upstream version (update every 5 minutes): online+offline or online only.

Import the link into uBO's filter list to subscribe.

IP-based (AdGuard)

Import the link into AdGuard browser extension to subscribe.

IP-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the link into Vivaldi's Tracker Blocking Sources to subscribe.

Domain-based (AdGuard Home)

dnscrypt-proxy

Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.

Configure dnscrypt-proxy to use the blocklist:

[blocked_ips]
+  blocked_ips_file = '/etc/dnscrypt-proxy/botnet-filter-dnscrypt-blocked-ips.txt'

Snort2

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

printf "\ninclude \$RULE_PATH/botnet-filter-suricata.rules\n" >> /etc/snort/snort.conf

Snort3

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/snort/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/botnet-filter-suricata.rules'
}

Suricata

I highly recommend to use the upstream version which is updated every 5 minutes.

Save the ruleset to "/etc/suricata/rules/botnet-filter-suricata.rules". Refer to this guide for auto-update. Snort 2, 3 and Suricata use the same ruleset for this blocklist.

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - botnet-filter-suricata.rules

Splunk

A CSV file for Splunk lookup.

Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups.

Or use malware-filter add-on to install this lookup and optionally auto-update it.

Columns:

ip	message	updated
1.2.3.4	botnet-filter botnet IP detected	2022-12-21T12:34:56Z

Compressed version

All filters are also available as gzip- and brotli-compressed.

• Gzip: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.gz
• Brotli: https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt.br

Issues

This blocklist only accepts new malicious IPs from Feodo Tracker.

FAQ and Guides

See wiki

CI Variables

Optional variables:

• CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.
• NETLIFY_SITE_ID: Deploy to Netlify.

Repository Mirrors

https://gitlab.com/curben/blog#repository-mirrors

License

Creative Commons Zero v1.0 Universal and MIT License

Feodo Tracker: CC0

This repository is not endorsed by Abuse.ch.