Go to file
Ming Di Leom ed6f0c0d5a
docs: mention vn-badsite-filter
- https://gitlab.com/malware-filter/vn-badsite-filter
2022-12-17 00:51:30 +00:00
.github/workflows ci(ga): reuse build artifact in netlify step 2022-03-14 21:04:33 +00:00
src feat: add csv file for Splunk lookup 2022-12-17 00:34:18 +00:00
.gitignore refactor: deploy filters to gitlab pages 2022-01-08 06:01:13 +00:00
.gitlab-ci.yml ci: install jq 2022-11-20 01:42:21 +00:00
.nvmrc ci: downgrade to node 16 2022-11-01 06:58:16 +00:00
LICENSE.md Initial commit 2021-03-31 10:53:42 +00:00
README.md docs: mention vn-badsite-filter 2022-12-17 00:51:30 +00:00
package.json refactor: deploy filters to gitlab pages 2022-01-08 06:01:13 +00:00

README.md

PUP Domains Blocklist

A blocklist of domains that host potentially unwanted programs (PUP), based on the malware-discoverer. Blocklist is updated twice a day.

There are multiple formats available, refer to the appropriate section according to the program used:

For other programs, see Compatibility page in the wiki.

Check out my other filters:

URL-based

Import the following URL into uBO to subscribe:

included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "PUP URL Blocklist".

Mirrors

URL-based (AdGuard)

Import the following URL into AdGuard browser extension to subscribe:

Mirrors

URL-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:

Mirrors

Domain-based

This blocklist includes domains and IP addresses.

Mirrors

Domain-based (AdGuard Home)

This AdGuard Home-compatible blocklist includes domains and IP addresses.

Mirrors

Hosts-based

This blocklist includes domains only.

Mirrors

Dnsmasq

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

# Configure dnsmasq to use the blocklist
printf "\nconf-file=/usr/local/etc/dnsmasq/pup-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
Mirrors

BIND

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-bind.conf" -o "/usr/local/etc/bind/pup-filter-bind.conf"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

# Configure BIND to use the blocklist
printf '\ninclude "/usr/local/etc/bind/pup-filter-bind.conf";\n' >> /etc/bind/named.conf

Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):

$TTL    86400   ; one day
@       IN      SOA     ns.nullzone.loc. ns.nullzone.loc. (
               2017102203
                    28800
                     7200
                   864000
                    86400 )
                NS      ns.nullzone.loc.
                A       0.0.0.0
@       IN      A       0.0.0.0
*       IN      A       0.0.0.0

Zone file is derived from here.

Mirrors

Response Policy Zone

This blocklist includes domains only.

Mirrors

Unbound

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-unbound.conf" -o "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

# Configure Unbound to use the blocklist
printf '\n  include: "/usr/local/etc/unbound/pup-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
Mirrors

dnscrypt-proxy

Install

# Create a new folder to store the blocklist
mkdir -p /etc/dnscrypt-proxy/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

Configure dnscrypt-proxy to use the blocklist:

[blocked_names]
+  blocked_names_file = '/etc/dnscrypt-proxy/pup-filter-dnscrypt-blocked-names.txt'
Mirrors

Tracking Protection List (IE)

This blocklist includes domains only.

Mirrors

Snort2

Not compatible with Snort3.

Install

# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-snort2.rules" -o "/etc/snort/rules/pup-filter-snort2.rules"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

# Configure Snort to use the ruleset
printf "\ninclude \$RULE_PATH/pup-filter-snort2.rules\n" >> /etc/snort/snort.conf
Mirrors

Snort3

Not compatible with Snort2.

Install

# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-snort3.rules" -o "/etc/snort/rules/pup-filter-snort3.rules"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/pup-filter-snort3.rules'
}
Mirrors

Suricata

Install

# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/pup-filter-suricata.rules" -o "/etc/suricata/rules/pup-filter-suricata.rules"\n' > /etc/cron.daily/pup-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/pup-filter

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - pup-filter-suricata.rules
Mirrors

Splunk

A CSV file for Splunk lookup.

Mirrors

Compressed version

All filters are also available as gzip- and brotli-compressed.

Issues

This blocklist operates by blocking the whole website, popular websites are excluded from the filters.

Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.

If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.

This blocklist only accepts new malicious URLs from malware-discoverer.

FAQ and Guides

See wiki

CI Variables

Optional variables:

  • CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.
  • NETLIFY_SITE_ID: Deploy to Netlify.
  • CF_API: Include Cloudflare Radar domains ranking. Guide to create an API token.

License

src/: CC0

filters: Derived from malware-discoverer with Zhouhan Chen's permission

malware-discoverer: All rights reserved by Zhouhan Chen

Tranco List: MIT License

Umbrella Popularity List: Available free of charge by Cisco Umbrella

Cloudflare Radar: Available to free Cloudflare account