Forwarded from BlackBox (Security) Archiv
Daily feed of bad IPs (with blacklist hit scores)
IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
π‘ As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
https://github.com/stamparm/ipsum
#IPsum #tool #guide
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
π‘ As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1π‘ If you want to try it with ipset, you can do the following:
sudo suIn directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:net
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -I INPUT -m set --match-set ipsum src -j DROP
https://github.com/stamparm/ipsum
#IPsum #tool #guide
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
Click on the hashtags. If the note doesn't show up, just type the hashtag in the chat. Else, the note got vanished
#afwall
#alternatives
#altfrontends
#amp
#apk
#aurora
#backup
#blockadstrackers
#bounty
#classroom
#cleaningcrap
#cloud
#cloudflare
#datacollection
#debloat
#deezer
#delete
#deodex
#disablecaptiveportal
#disablecomponents
#disablegoogle
#discord
#dns
#dnscrypt
#dontask
#e
#exodus
#facebook
#fakegapps
#faq
#fdroid
#fennec
#findyourphone
#gcam
#gmail_signin_error
#googlefi
#googletakeout
#gpslock
#graphene
#grapheneos
#gratisapps
#guide
#ipsum
#librechair
#lineagemicrog
#location
#logs
#madaidan
#magicgapps
#magisk
#mailalias
#manjaro
#microg
#mixplorer
#netoff
#news
#nitrokey
#notes
#nothingtohide
#osm
#ot
#playgames
#playpaid
#problems
#pushnotifications
#qpatch
#rh01
#riot
#safetynet
#satstat
#searchengines
#shelter
#signal
#signaturespoofing
#sigspoof
#smalipatcher
#spite
#sync
#tgclients
#todolists
#tor
#torfud
#uber
#uncensorISP
#unlppatch
#untracklinks
#vanced
#vpn
#wear
#wiki
#windows
#wireguard
#withoutgoogle
#xiaomi
#afwall
#alternatives
#altfrontends
#amp
#apk
#aurora
#backup
#blockadstrackers
#bounty
#classroom
#cleaningcrap
#cloud
#cloudflare
#datacollection
#debloat
#deezer
#delete
#deodex
#disablecaptiveportal
#disablecomponents
#disablegoogle
#discord
#dns
#dnscrypt
#dontask
#e
#exodus
#fakegapps
#faq
#fdroid
#fennec
#findyourphone
#gcam
#gmail_signin_error
#googlefi
#googletakeout
#gpslock
#graphene
#grapheneos
#gratisapps
#guide
#ipsum
#librechair
#lineagemicrog
#location
#logs
#madaidan
#magicgapps
#magisk
#mailalias
#manjaro
#microg
#mixplorer
#netoff
#news
#nitrokey
#notes
#nothingtohide
#osm
#ot
#playgames
#playpaid
#problems
#pushnotifications
#qpatch
#rh01
#riot
#safetynet
#satstat
#searchengines
#shelter
#signal
#signaturespoofing
#sigspoof
#smalipatcher
#spite
#sync
#tgclients
#todolists
#tor
#torfud
#uber
#uncensorISP
#unlppatch
#untracklinks
#vanced
#vpn
#wear
#wiki
#windows
#wireguard
#withoutgoogle
#xiaomi
Forwarded from BlackBox (Security) Archiv
Maltrail
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g.
π‘Architecture
Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).
π ππΌ https://github.com/stamparm/maltrail#introduction
π ππΌ ipsum:
https://github.com/stamparm/ipsum
#stamparm #maltrail #ipsum #tool #malicious #detection #blacklist
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g.
zvpprsensinaix.com
for Banjori malware), URL (e.g. hXXp://109.162.38.120
/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231
for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).π‘Architecture
Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).
π ππΌ https://github.com/stamparm/maltrail#introduction
π ππΌ ipsum:
https://github.com/stamparm/ipsum
#stamparm #maltrail #ipsum #tool #malicious #detection #blacklist
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
GitHub
GitHub - stamparm/maltrail: Malicious traffic detection system
Malicious traffic detection system. Contribute to stamparm/maltrail development by creating an account on GitHub.