EmergingThreats> Main Web>UserDocs>AllRulesets>CompromisedHost (2012-04-04, MattJonkman) EditAttach

Known Compromised Hosts

This ruleset is compiled from a number of sources. It's contents are hosts that are known to be compromised by bots, phishing sites, etc, or known to be spewing hostile traffic. These are not your everyday infected and sending a bit of spam hosts, these are significantly infected and hostile hosts.

Sources include:

Brute Force Blocker

OpenBL.org (formerly sshbl.org)

And the Emerging Threats Sandnet and SidReporter Projects

If you have a source of IPs you'd like to add to the list please email threats@emergingthreats.net

Sids are in the range 240800-2408999 for normal version, 2409000-2409999 for the Snortsam blocking versions.

Note: This list no longer includes the RBN (RussianBusinessNetwork) hosts. These are in a standalone ruleset.

Note: Original lists were in the 2500-3000 rule range, which ended up being a significant Snort load. We're keeping this ruleset under 1000 and things seem to be fine in most cases. But use caution if applying the entire ruleset to an already loaded sensor.

Known CompromisedHost List

Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2012-04-04 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats