Blacklist
Source : SSLList Abuse
The SSL Certificate Blacklist (CSV) is a CSV that contains SHA1 Fingerprint of all SSL certificates blacklisted on SSLBL. This format is useful if you want to process the blacklisted SSL certificate further, e.g. loading them into your SIEM. The CSV contains the following values:
Listing date (UTC)
SHA1 Fingerprint of the blacklisted SSL certificate
Listing reason
The SSL Certificate Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata SSL Certificate Ruleset to detect and/or block malicious SSL connections in your network based on the SSL certificate fingerprint.
In addition, SSLBL provides a more performant Suricata ruleset that uses tls_cert_fingerprint instead of tls.fingerprint. Please use either the ruleset above (sslblacklist.rules) OR sslblacklist_tls_cert.rules from below. Do not use both of them at the same time.
The Suricata SSL Certificate Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
In order to use the more perfomant Suricata ruleset avilable for download below, you must run Suricata 4.1.0 or newer. The ruleset will not work with any Suricata version prior 4.1.0. If you are running a version of Suricata older than 4.1.0, please use the ruleset above this box.
An SSL certificate can be associated with one or more servers (IP address:port combination). SSLBL collects IP addresses that are running with an SSL certificate blacklisted on SSLBL. These are usually botnet Command&Control servers (C&C). SSLBL hence publishes a blacklist containing these IPs which can be used to detect botnet C2 traffic from infected machines towards the internet, leaving your network. The CSV format is useful if you want to process the blacklisted IP addresses further, e.g. loading them into your SIEM. The CSV contains the following values:
Firstseen(UTC)
Destination IP (DstIP)
Destination Port (DstPort)
The Botnet C2 IP Blacklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
As IP addresses are getting recycled and reused, this blacklist only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).
If you want to fetch a comprehensive list of all IP addresses that SSLBL has ever seen, please use the CSV provided below.
I strongly recommend you to not use the aggressive version of the Botnet C2 IP blacklist as it definitely will cause false positives. If you want to reduce the amount of false positives, use the blacklist above this box. If you want to get maximum protection and don't care about false positives, use the blacklist below this box (not recommended).
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).
Unlike SSLBL's Suricata SSL Certificate Ruleset, the Suricata Botnet C2 IP Ruleset can be used with both, Suricata and Snort. The ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).
The Suricat Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
As IP addresses are getting recycled and reused, this ruleset only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
If you want to fetch a comprehensive ruleset of all IP addresses that SSLBL has ever seen, please use the ruleset provided below.
I strongly recommend you to not use the aggressive ruleset of the Botnet C2 IP list as it definitely will cause false positives. If you want to reduce the amount of false positives, use the ruleset above this box. If you want to get maximum protection and don't care about false positives, use the ruleset below this box (not recommended).
By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can block the resolution of certain domain names on your DNS resolver. The SSLBL RPZ contains IP addresses that are running with an SSL certificate blacklisted on SSLBL. By using the SSLBL RPZ, any domain names resolving to such IP addresses will be blocked, sinkholed or logged (depending on your DNS configuration). More information about DNS RPZ can be found on dnsrpz.info.
The Botnet C2 DNS RPZ gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
As IP addresses are getting recycled and reused, the SSLBL RPZ only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
JA3 is an open source tool used to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware and botnet C2 traffic that is leveraging SSL/TLS. The CSV format is useful if you want to process the JA3 fingerprints further, e.g. loading them into your SIEM. The CSV contains the following values:
JA3 Fingerprint
First seen (UTC)
Last seen (UTC)
Listing reason
The JA3 Fingerprint Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
The JA3 fingerprints blacklisted on SSLBL have been collected by analysing more than 25,000,000 PCAPs generated by malware samples. These fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!
Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.
The Suricata JA3 Fingerprint Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
The JA3 fingerprints blacklisted on SSLBL have been collected by analysing more than 25,000,000 PCAPs generated by malware samples. These fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!