Blacklist

Source : SSLList Abuse

SSL Certificate Blacklist (CSV)


The SSL Certificate Blacklist (CSV) is a CSV that contains SHA1 Fingerprint of all SSL certificates blacklisted on SSLBL. This format is useful if you want to process the blacklisted SSL certificate further, e.g. loading them into your SIEM. The CSV contains the following values:

The SSL Certificate Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

 

Download CSV

 

Suricata SSL Certificate Ruleset


Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata SSL Certificate Ruleset to detect and/or block malicious SSL connections in your network based on the SSL certificate fingerprint.

 

IDS SSL Certificate Ruleset   IDS SSL Certificate Ruleset tar.gz

 

In addition, SSLBL provides a more performant Suricata ruleset that uses tls_cert_fingerprint instead of tls.fingerprint. Please use either the ruleset above (sslblacklist.rules) OR sslblacklist_tls_cert.rules from below. Do not use both of them at the same time.

The Suricata SSL Certificate Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

IDS SSL Certificate Ruleset   IDS SSL Certificate Ruleset tar.gz

 

Botnet C2 IP Blacklist (CSV)


An SSL certificate can be associated with one or more servers (IP address:port combination). SSLBL collects IP addresses that are running with an SSL certificate blacklisted on SSLBL. These are usually botnet Command&Control servers (C&C). SSLBL hence publishes a blacklist containing these IPs which can be used to detect botnet C2 traffic from infected machines towards the internet, leaving your network. The CSV format is useful if you want to process the blacklisted IP addresses further, e.g. loading them into your SIEM. The CSV contains the following values:

The Botnet C2 IP Blacklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

 

Download CSV

 

In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).

 

Download IPs only

 

If you want to fetch a comprehensive list of all IP addresses that SSLBL has ever seen, please use the CSV provided below.

 

In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).

 

Download IPs only) - Aggressive

 

Suricata Botnet C2 IP Ruleset


Unlike SSLBL's Suricata SSL Certificate Ruleset, the Suricata Botnet C2 IP Ruleset can be used with both, Suricata and Snort. The ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

The Suricat Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

 

Download IDS Ruleset (Suricata and Snort) Download IDS Ruleset (Suricata and Snort) tar.gz

If you want to fetch a comprehensive ruleset of all IP addresses that SSLBL has ever seen, please use the ruleset provided below.

 

Botnet C2 DNS Response Policy Zone (RPZ)


By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can block the resolution of certain domain names on your DNS resolver. The SSLBL RPZ contains IP addresses that are running with an SSL certificate blacklisted on SSLBL. By using the SSLBL RPZ, any domain names resolving to such IP addresses will be blocked, sinkholed or logged (depending on your DNS configuration). More information about DNS RPZ can be found on dnsrpz.info.

The Botnet C2 DNS RPZ gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

 

JA3 Fingerprint Blacklist (CSV)


JA3 is an open source tool used to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware and botnet C2 traffic that is leveraging SSL/TLS. The CSV format is useful if you want to process the JA3 fingerprints further, e.g. loading them into your SIEM. The CSV contains the following values:

The JA3 Fingerprint Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

 

Suricata JA3 Fingerprint Ruleset


Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.

The Suricata JA3 Fingerprint Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download Suricata JA3 Fingerprint Ruleset  Suricata JA3 Fingerprint Ruleset tar.gz