* [PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists @ 2024-06-24 15:10 Adolf Belka 2024-06-24 15:10 ` [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist Adolf Belka 0 siblings, 1 reply; 5+ messages in thread From: Adolf Belka @ 2024-06-24 15:10 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2178 bytes --] - The patch for this was created by Stefan Schantl - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. - The combined list was removed because it is just the three others which can be selected in the WUI to give the equivalent result. Created-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/ipblocklist/sources | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 0835c0f9c..69f964dd9 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -124,5 +124,23 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://www.blocklist.de', 'parser' => 'ip-or-net-list', 'rate' => '30m', - 'category' => 'attacker' } + 'category' => 'attacker' }, + '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' } ); -- 2.45.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist 2024-06-24 15:10 [PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists Adolf Belka @ 2024-06-24 15:10 ` Adolf Belka 2024-07-03 12:59 ` Charles Brown 0 siblings, 1 reply; 5+ messages in thread From: Adolf Belka @ 2024-06-24 15:10 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1149 bytes --] - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/ipblocklist/sources | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 69f964dd9..1cef06dd1 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -142,5 +142,11 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://blacklist.3coresec.net', 'parser' => 'ip-or-net-list', 'rate' => '1d', - 'category' => 'attacker' } + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } ); -- 2.45.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist 2024-06-24 15:10 ` [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist Adolf Belka @ 2024-07-03 12:59 ` Charles Brown 2024-07-03 13:03 ` Charles Brown 0 siblings, 1 reply; 5+ messages in thread From: Charles Brown @ 2024-07-03 12:59 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8145 bytes --] Hi Adolf & Stefan, I noticed some indentation inconsistencies in this ipblocklist sources fie -- some old, some new with this commit. Here is my (perhaps naive) attempt to patch the indentation issues. --- diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 1cef06dd1..eefd1a8d5 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -36,14 +36,15 @@ package IPblocklist::List; -our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', +our %sources = ( + 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', 'parser' => 'ip-or-net-list', 'rate' => '1h', 'category' => 'composite', 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESSIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, - 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', 'parser' => 'ip-or-net-list', @@ -74,7 +75,7 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '5m', 'category' => 'c and c', 'disable' => 'FEODO_RECOMMENDED' }, - 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', + 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', 'info' => 'https://feodotracker.abuse.ch/blocklist', 'parser' => 'ip-or-net-list', @@ -126,27 +127,27 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '30m', 'category' => 'attacker' }, '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'reputation' }, - '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/http.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, - 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', - 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', - 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', - 'parser' => 'ip-or-net-list', - 'rate' => '5m', - 'category' => 'reputation' } + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } ); ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist 2024-07-03 12:59 ` Charles Brown @ 2024-07-03 13:03 ` Charles Brown 2024-07-03 14:06 ` Charles Brown 0 siblings, 1 reply; 5+ messages in thread From: Charles Brown @ 2024-07-03 13:03 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 117 bytes --] Ugh, obviously I do not know how to get my mail client to send this without making a mess of the patch text 🙁 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist 2024-07-03 13:03 ` Charles Brown @ 2024-07-03 14:06 ` Charles Brown 0 siblings, 0 replies; 5+ messages in thread From: Charles Brown @ 2024-07-03 14:06 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 7929 bytes --] Okay, if this doesn't work, I'll stop bother you with this 🙂 --- diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 1cef06dd1..eefd1a8d5 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -36,14 +36,15 @@ package IPblocklist::List; -our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', +our %sources = ( + 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', 'parser' => 'ip-or-net-list', 'rate' => '1h', 'category' => 'composite', 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESSIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, - 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', 'parser' => 'ip-or-net-list', @@ -74,7 +75,7 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '5m', 'category' => 'c and c', 'disable' => 'FEODO_RECOMMENDED' }, - 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', + 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', 'info' => 'https://feodotracker.abuse.ch/blocklist', 'parser' => 'ip-or-net-list', @@ -126,27 +127,27 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '30m', 'category' => 'attacker' }, '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'reputation' }, - '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/http.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, - 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', - 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', - 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', - 'parser' => 'ip-or-net-list', - 'rate' => '5m', - 'category' => 'reputation' } + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } ); ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-07-03 14:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-06-24 15:10 [PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists Adolf Belka 2024-06-24 15:10 ` [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist Adolf Belka 2024-07-03 12:59 ` Charles Brown 2024-07-03 13:03 ` Charles Brown 2024-07-03 14:06 ` Charles Brown
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox