Known Bot Command and Control Rules

This ruleset takes a daily list of the known CnC? Servers as researched by Shadowserver.org, Abuse.ch, the Emerging Threats Sandnet, and other private sources and converts them into Snort/Suricata signatures and Firewall rules.

Sources include:

Shadow Server Spyeye Tracker Palevo Tracker Zeus Tracker

And the Emerging Threats Sandnet.

Note, all of these organizations are fully volunteer staffed and run.

These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server.

Rules are available here:

Botnet Command and Control Server Rules (BotCC):

Sid Range info:

2404000-2404999 Shadowserver.org Bot C&C List — Updated Daily

2405000-2405999 Shadowserver.org Bot C&C List with fwsam Drop Statements– Updated Daily

Firewall Rules http://rules.emergingthreats.net/fwrules

Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2012-04-04 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats