From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/2] sources: Replacement of Feodo Recommended Tracker list to
 ipblocklist sources file
Date: Mon, 09 Dec 2024 12:42:50 +0100
Message-ID: <20241209114251.6249-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3066501219017398353=="
List-Id: <development.lists.ipfire.org>

--===============3066501219017398353==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- FEODO_RECOMMENDED list is still being updated but the number of events can =
be very
   low. However as it is still active then it has been added back in as discu=
ssed in
   the Dev Conf Call on Nov 4th.
- FEODO_IP list covers any IP that has been detected as a botnet in the last =
30 days.
   This could lead to false positives if the botnet has been fixed within one=
 day of
   being detected. So it was agreed that this list would stay removed.
- FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as bo=
tnets since
   the list was started. It is not intended to be used for blocking as it wou=
ld have a
   huge false positive effect. This list will also stay removed as it should =
not have
   been included originally.
- This patch set adds back in the FEODO_RECOMMENDED list into the sources fil=
e and in the
   associated patch for the update.sh file removes the lines that removed the=
 files
   related to FEODO_RECOMMENDED.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/ipblocklist/sources | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources
index c2fc40d5b..158c8bc20 100644
--- a/config/ipblocklist/sources
+++ b/config/ipblocklist/sources
@@ -61,6 +61,12 @@ our %sources =3D ( 'EMERGING_FWRULE' =3D> { 'name'     =3D=
> 'Emerging Threats Blocklis
                                     'parser'   =3D> 'dshield',
                                     'rate'     =3D> '1h',
                                     'category' =3D> 'attacker' },
+             'FEODO_RECOMMENDED'=3D> {'name'     =3D> 'Feodo Trojan IP Block=
list (Recommended)',
+                                    'url'      =3D> 'https://feodotracker.ab=
use.ch/downloads/ipblocklist_recommended.txt',
+                                    'info'     =3D> 'https://feodotracker.ab=
use.ch/blocklist',
+                                    'parser'   =3D> 'ip-or-net-list',
+                                    'rate'     =3D> '5m',
+                                    'category' =3D> 'c and c' },
              'CIARMY'          =3D> { 'name'     =3D> 'The CINS Army List',
                                     'url'      =3D> 'https://cinsscore.com/l=
ist/ci-badguys.txt',
                                     'info'     =3D> 'https://cinsscore.com/#=
list',
--=20
2.47.1


--===============3066501219017398353==--