blocklist-ipsets
blocklist-ipsets copied to clipboard
Published
20 hours ago •
firehol
firehol
SSLBL needs adjustment
The update procedure for the sslbl csv needs adjustment. Actually it's using the first column for the ip-list. But the ip-list is in the second column:
################################################################
# abuse.ch SSLBL Botnet C2 IP Blacklist (CSV) #
# Last updated: 2022-07-28 10:53:43 UTC #
# #
# Terms Of Use: https://sslbl.abuse.ch/blacklist/ #
# For questions please contact sslbl [at] abuse.ch #
################################################################
#
# Firstseen,DstIP,DstPort
2022-07-28 10:53:43,62.210.57.2,1284
2022-07-27 16:58:25,165.22.226.149,8008
Procedure in upsate-ipsets:
# -----------------------------------------------------------------------------
# SSLBL
# https://sslbl.abuse.ch/
# by abuse.ch
# IPs with "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities
update sslbl 30 0 ipv4 ip \
"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" \
csv_comma_first_column \
"malware" \
"[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) bad SSL traffic related to malware or botnet activities" \
"Abuse.ch" "https://sslbl.abuse.ch/" \
can_be_empty
# The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.
update sslbl_aggressive 30 0 ipv4 ip \
"https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv" \
csv_comma_first_column \
"malware" \
"[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one." \
"Abuse.ch" "https://sslbl.abuse.ch/" \
can_be_empty
Suggestion:
Adding csv_comma_second_column()
# get the first column from the csv
csv_comma_first_column() {
$GREP_CMD "^[0-9]" |\
$CUT_CMD -d ',' -f 1
}
# get the second column from the csv
csv_comma_second_column() {
$GREP_CMD "^[0-9]" |\
$CUT_CMD -d ',' -f 2
}
and adjust the procedure accordingly:
# -----------------------------------------------------------------------------
# SSLBL
# https://sslbl.abuse.ch/
# by abuse.ch
# IPs with "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities
update sslbl 30 0 ipv4 ip \
"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" \
csv_comma_second_column \
"malware" \
"[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) bad SSL traffic related to malware or botnet activities" \
"Abuse.ch" "https://sslbl.abuse.ch/" \
can_be_empty
# The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.
update sslbl_aggressive 30 0 ipv4 ip \
"https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv" \
csv_comma_second_column \
"malware" \
"[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one." \
"Abuse.ch" "https://sslbl.abuse.ch/" \
can_be_empty
