Known Bot Command and Control Rules

This ruleset takes a daily list of the known CnC? Servers as researched by,, the Emerging Threats Sandnet, and other private sources and converts them into Snort/Suricata signatures and Firewall rules.

Sources include:

Shadow Server Spyeye Tracker Palevo Tracker Zeus Tracker

And the Emerging Threats Sandnet.

Note, all of these organizations are fully volunteer staffed and run.

These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server.

Rules are available here:

Botnet Command and Control Server Rules (BotCC):

Sid Range info:

2404000-2404999 Bot C&C List — Updated Daily

2405000-2405999 Bot C&C List with fwsam Drop Statements– Updated Daily

Firewall Rules

Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2012-04-04 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats