8c34499da5
- https://about.gitlab.com/blog/2021/11/11/public-project-minute-limits - https://about.gitlab.com/blog/2022/02/04/ultimate-perks-for-open-source-projects |
||
|---|---|---|
| .github/workflows | ||
| src | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .nvmrc | ||
| LICENSE.md | ||
| README.md | ||
| package.json | ||
README.md
PUP Domains Blocklist
Announcement: curben.gitlab.io will be migrated to malware-filter.gitlab.io on 2022/05/21
A blocklist of domains that host potentially unwanted programs (PUP), based on the malware-discoverer. Blocklist is updated twice a day.
There are multiple formats available, refer to the appropriate section according to the program used:
- uBlock Origin (uBO) -> URL-based section (recommended)
- Pi-hole -> Domain-based or Hosts-based section
- AdGuard Home -> Domain-based (AdGuard Home) or Hosts-based section
- AdGuard browser extension -> URL-based (AdGuard)
- Vivaldi -> URL-based (Vivaldi)
- Hosts
- Dnsmasq
- BIND -> BIND zone or RPZ
- Unbound
- dnscrypt-proxy
- Internet Explorer -> Tracking Protection List (IE)
- Snort2
- Snort3
- Suricata
Not sure which format to choose? See Compatibility page.
Check out my other filters:
URL-based
Import the following URL into uBO to subscribe:
included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "PUP URL Blocklist".
Mirrors
URL-based (AdGuard)
Import the following URL into AdGuard browser extension to subscribe:
Mirrors
URL-based (Vivaldi)
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:
Mirrors
Domain-based
This blocklist includes domains and IP addresses.
Mirrors
Domain-based (AdGuard Home)
This AdGuard Home-compatible blocklist includes domains and IP addresses.
Mirrors
Hosts-based
This blocklist includes domains only.
Mirrors
Dnsmasq
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
# Configure dnsmasq to use the blocklist
printf "\nconf-file=/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
Mirrors
BIND
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-bind.conf" -o "/usr/local/etc/bind/pup-filter-bind.conf"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
# Configure BIND to use the blocklist
printf '\ninclude "/usr/local/etc/bind/pup-filter-bind.conf";\n' >> /etc/bind/named.conf
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
Zone file is derived from here.
Mirrors
Response Policy Zone
This blocklist includes domains only.
Mirrors
Unbound
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-unbound.conf" -o "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
# Configure Unbound to use the blocklist
printf '\n include: "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
Mirrors
dnscrypt-proxy
Install
# Create a new folder to store the blocklist
mkdir -p /etc/dnscrypt-proxy/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
Configure dnscrypt-proxy to use the blocklist:
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt'
Mirrors
- https://curbengh.github.io/malware-filter/pup-filter-dnscrypt-blocked-names.txt
- https://curbengh.github.io/pup-filter/pup-filter-dnscrypt-blocked-names.txt
- https://curben.gitlab.io/pup-filter/pup-filter-dnscrypt-blocked-names.txt
- https://malware-filter.pages.dev/pup-filter-dnscrypt-blocked-names.txt
- https://pup-filter.pages.dev/pup-filter-dnscrypt-blocked-names.txt
Tracking Protection List (IE)
This blocklist includes domains only.
Mirrors
Snort2
This ruleset includes online URLs only. Not compatible with Snort3.
Install
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
# Configure Snort to use the ruleset
printf "\ninclude \$RULE_PATH/pup-filter-snort2.rules\n" >> /etc/snort/snort.conf
Mirrors
Snort3
This ruleset includes online URLs only. Not compatible with Snort2.
Install
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/pup-filter-snort3.rules'
}
Mirrors
Suricata
This ruleset includes online URLs only.
Install
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules"\n' > /etc/cron.daily/pup-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - pup-filter-suricata.rules
Mirrors
- https://curbengh.github.io/malware-filter/pup-filter-suricata.rules
- https://curbengh.github.io/pup-filter/pup-filter-suricata.rules
- https://curben.gitlab.io/pup-filter/pup-filter-suricata.rules
- https://malware-filter.pages.dev/pup-filter-suricata.rules
- https://pup-filter.pages.dev/pup-filter-suricata.rules
Issues
This blocklist operates by blocking the whole website, popular websites are excluded from the filters.
Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains) and this custom list.
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.
This blocklist only accepts new malicious URLs from malware-discoverer.
FAQ and Guides
See wiki
License
filters: Derived from malware-discoverer with Zhouhan Chen's permission
malware-discoverer: All rights reserved by Zhouhan Chen
Tranco List: MIT License
Umbrella Popularity List: Available free of charge by Cisco Umbrella