1cbea2cd24
got is esm only since v12 |
||
---|---|---|
.github/workflows | ||
src | ||
.gitignore | ||
.gitlab-ci.yml | ||
.nvmrc | ||
LICENSE | ||
LICENSE-CC0.md | ||
README.md | ||
package.json |
README.md
Malicious URL Blocklist
- Lite version
- Full version
- Formats
- Compressed version
- Reporting issues
- Cloning
- FAQ and Guides
- CI Variables
- License
A blocklist of malicious websites that are being used for malware distribution, based on the Database dump (CSV) of Abuse.ch URLhaus. Blocklist is updated twice a day.
Lite version (online links only)
Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
---|---|---|---|---|---|---|
uBlock Origin | link | link | link | link | link | link |
Pi-hole | link | link | link | link | link | link |
AdGuard Home | link | link | link | link | link | link |
AdGuard (browser extension) | link | link | link | link | link | link |
Vivaldi | link | link | link | link | link | link |
Hosts | link | link | link | link | link | link |
Dnsmasq | link | link | link | link | link | link |
BIND zone | link | link | link | link | link | link |
BIND RPZ | link | link | link | link | link | link |
dnscrypt-proxy | names-online.txt, ips-online.txt | names-online.txt, ips-online.txt | names-online.txt, ips-online.txt | names-online.txt, ips-online.txt | names-online.txt, ips-online.txt | names-online.txt, ips-online.txt |
Internet Explorer | link | link | link | link | link | link |
Snort2 | link | link | link | link | link | link |
Snort3 | link | link | link | link | link | link |
Suricata | link | link | link | link | link | link |
Splunk | link | link | link | link | link | link |
Full version
Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
---|---|---|---|---|---|---|
uBlock Origin | link | link | link | link | link | link |
Pi-hole | link | link | link | link | link | link |
AdGuard Home | link | link | link | link | link | link |
AdGuard (browser extension) | link | link | link | link | link | link |
Vivaldi | link | link | link | link | link | link |
Hosts | link | link | link | link | link | link |
Dnsmasq | link | link | link | link | link | link |
BIND zone | link | link | link | link | link | link |
BIND RPZ | link | link | link | link | link | link |
dnscrypt-proxy | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt |
Internet Explorer | link | link | link | link | link | link |
For other programs, see Compatibility page in the wiki.
Check out my other filters:
URL-based
Import the full version into uBO to block online and offline malicious websites.
Lite version includes online links only. Enabled by default in uBO >=1.28.2
Note: Lite version is 99% smaller by excluding offline urls. The status of urls is determined by the upstream Abuse.ch. However, the test is not 100% accurate and some malicious urls that are otherwise accessible may be missed. If bandwidth (9 MB/day) is not a constraint, I recommend the regular version; browser extensions may utilise HTTP compression that can save 70% of bandwidth.
Regular version contains >260K filters, do note that uBO can easily handle 500K filters.
If you've installed the lite version but prefer to use the regular version, it's better to remove it beforehand. Having two versions at the same time won't cause any conflict issue, uBO can detect duplicate network filters and adjust accordingly, but it's a waste of your bandwidth.
AdGuard Home users should use this blocklist.
URL-based (AdGuard)
Import the full version into AdGuard browser extensions to block online and offline malicious websites.
Lite version includes online links only.
URL-based (Vivaldi)
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the full version into Vivaldi's Tracker Blocking Sources to block online and offline malicious websites.
Lite version includes online links only.
Domain-based
This blocklist includes domains and IP addresses.
Domain-based (AdGuard Home)
This AdGuard Home-compatible blocklist includes domains and IP addresses.
Hosts-based
This blocklist includes domains only.
Dnsmasq
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/dnsmasq/urlhaus-filter-dnsmasq.conf". Refer to this guide for auto-update.
Configure dnsmasq to use the blocklist:
printf "\nconf-file=/usr/local/etc/dnsmasq/urlhaus-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
BIND
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/bind/urlhaus-filter-bind.conf". Refer to this guide for auto-update.
Configure BIND to use the blocklist:
printf '\ninclude "/usr/local/etc/bind/urlhaus-filter-bind.conf";\n' >> /etc/bind/named.conf
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
Zone file is derived from here.
Response Policy Zone
This blocklist includes domains only.
Unbound
This blocklist includes domains only.
Save the rulesets to "/usr/local/etc/unbound/urlhaus-filter-unbound.conf". Refer to this guide for auto-update.
Configure Unbound to use the blocklist:
printf '\n include: "/usr/local/etc/unbound/urlhaus-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
dnscrypt-proxy
Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.
Configure dnscrypt-proxy to use the blocklist:
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/urlhaus-filter-dnscrypt-blocked-names.txt'
[blocked_ips]
+ blocked_ips_file = '/etc/dnscrypt-proxy/urlhaus-filter-dnscrypt-blocked-ips.txt'
Tracking Protection List (IE)
This blocklist includes domains only. Supported in Internet Explorer 9+.
Snort2
This ruleset includes online URLs only. Not compatible with Snort3. Save the ruleset to "/etc/snort/rules/urlhaus-filter-snort2-online.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
printf "\ninclude \$RULE_PATH/urlhaus-filter-snort2-online.rules\n" >> /etc/snort/snort.conf
Snort3
This ruleset includes online URLs only. Not compatible with Snort2.
Save the ruleset to "/etc/snort/rules/urlhaus-filter-snort3-online.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/urlhaus-filter-snort3-online.rules'
}
Suricata
This ruleset includes online URLs only.
Save the ruleset to "/etc/suricata/rules/urlhaus-filter-suricata-online.rules". Refer to this guide for auto-update.
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - urlhaus-filter-suricata-online.rules
Splunk
A CSV file for Splunk lookup. This ruleset includes online URLs only.
Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups
or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups
Or use malware-filter add-on to install this lookup and optionally auto-update it.
Columns:
host | path | message | updated |
---|---|---|---|
example.com | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z | |
example2.com | /some-path | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z |
Third-party mirrors
iosprivacy/urlhaus-filter-mirror
TBC
Compressed version
All filters are also available as gzip- and brotli-compressed.
- Gzip: https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt.gz
- Brotli: https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt.br
Issues
This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/
), in which webpages are specified instead (e.g. https://docs.google.com/malware-page
). Malicious webpages are only listed in the URL-based filter, popular websites are excluded from other filters.
Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request. If the website is quite obscure but you still want to visit it, you can add a new line ||legitsite.com^$badfilter
to "My filters" tab of uBO; use a subdomain if relevant, ||sub.legitsite.com^$badfilter
.
This filter only accepts new malware URLs from URLhaus.
Please report new malware URL to the upstream maintainer through https://urlhaus.abuse.ch/api/#submit.
Cloning
Since the filter is updated frequently, cloning the repo would become slower over time as the revision grows.
Use shallow clone to get the recent revisions only. Getting the last five revisions should be sufficient for a valid MR.
git clone --depth 5 https://gitlab.com/malware-filter/urlhaus-filter.git
FAQ and Guides
See wiki
CI Variables
Optional variables:
CLOUDFLARE_BUILD_HOOK
: Deploy to Cloudflare Pages.NETLIFY_SITE_ID
: Deploy to Netlify.CF_API
: Include Cloudflare Radar domains ranking. Guide to create an API token.
Repository Mirrors
https://gitlab.com/curben/blog#repository-mirrors
License
Creative Commons Zero v1.0 Universal and MIT License
Umbrella Popularity List: Available free of charge by Cisco Umbrella
Cloudflare Radar: Available to free Cloudflare account
This repository is not endorsed by Abuse.ch.