From patchwork Mon Dec 9 11:42:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8314 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kk2201pz3wxg for ; Mon, 9 Dec 2024 11:43:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6Kjx44dYz12m; Mon, 9 Dec 2024 11:43:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y6Kjx1gSKz333Y; Mon, 9 Dec 2024 11:43:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kjv49s9z30VM for ; Mon, 9 Dec 2024 11:42:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y6Kjs64xrzrN; Mon, 9 Dec 2024 11:42:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1733744577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2hHY8tgKlnQeOTrYvJHq2AoDgTF9kfZLZtoaM5ti2ls=; b=IUqYPZmO9uf7teDl32Loyxus+HBP73QpaqE12D5nCJ2ZlJAC+zJQa4pXF0SDpFsaO7FC0O ZJZJnMaiBhoT7fDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1733744577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2hHY8tgKlnQeOTrYvJHq2AoDgTF9kfZLZtoaM5ti2ls=; b=FC+29KIQ7J7VuepFSnUAwRL6f2HAussAouAwslB1jF51lMH0NHXbiXMy6o8LZI3TZu1l3k vU0PgrBLWzAmfE2Y7GAJA7M2Xtw9H5vYIA2M3lf3OmYPbzyPm0OFAo4gHhet04qKZXBO9O N0b/nZFA5hJTlT4eTdoDBdQLYVx5phWT/xq0c2ubm2jguNGH/Sr2OyyUmiwPT9ESsAyd3y SMTKMlRbk64zHV2auiKFHcuTMhRmpfuDjEW18cHPVU7oxhEgVbclGpvPBqh0m2zdtlCEuu eY926gCFE0v6+xcYjQAACYSZaud9cf7t0S/OO81hFPJ7WZidvdJdHz9+P+owXw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] sources: Replacement of Feodo Recommended Tracker list to ipblocklist sources file Date: Mon, 9 Dec 2024 12:42:50 +0100 Message-ID: <20241209114251.6249-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: UPKBXELZPG6LWCKQB5DMBKJGNVOLGRTP X-Message-ID-Hash: UPKBXELZPG6LWCKQB5DMBKJGNVOLGRTP X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - FEODO_RECOMMENDED list is still being updated but the number of events can be very low. However as it is still active then it has been added back in as discussed in the Dev Conf Call on Nov 4th. - FEODO_IP list covers any IP that has been detected as a botnet in the last 30 days. This could lead to false positives if the botnet has been fixed within one day of being detected. So it was agreed that this list would stay removed. - FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as botnets since the list was started. It is not intended to be used for blocking as it would have a huge false positive effect. This list will also stay removed as it should not have been included originally. - This patch set adds back in the FEODO_RECOMMENDED list into the sources file and in the associated patch for the update.sh file removes the lines that removed the files related to FEODO_RECOMMENDED. Signed-off-by: Adolf Belka --- config/ipblocklist/sources | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index c2fc40d5b..158c8bc20 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -61,6 +61,12 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'dshield', 'rate' => '1h', 'category' => 'attacker' }, + 'FEODO_RECOMMENDED'=> {'name' => 'Feodo Trojan IP Blocklist (Recommended)', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'c and c' }, 'CIARMY' => { 'name' => 'The CINS Army List', 'url' => 'https://cinsscore.com/list/ci-badguys.txt', 'info' => 'https://cinsscore.com/#list',