1 ############################################################################
3 # IP Address blocklists for IPFire #
5 # This file contains a list of blocklist sources that will replace the one #
6 # internal to the updated if it is found at /var/ipfire/blocklist/sources. #
7 # The intention is to provide a common source of information for both the #
10 # The chains created in the packet filter will be named by the top level #
11 # key and this will also be used in the log message to identify the reason #
12 # for the dropped packet. #
16 # name The blocklist's full name #
17 # url URL of the file containing the list #
18 # info URL giving information about the source #
19 # parser The parser function used to extract IP addresses from the #
21 # rate Minimum period between checks for updates. Can be specified in #
22 # days (d), hours (h) or minutes (m) #
23 # category Used for documentation on the WUI. Can be one of the following #
24 # 'application' Potentially unwanted applications #
25 # 'attacker' Generic source of malicious packets #
26 # 'c and c' Malware Command and Control source #
27 # 'composite' Composite of other lists #
28 # 'invalid' Invalid addresses on the public internet #
29 # 'scanner' Port scanner that is not initself malicious #
30 # disable Name of another list to disable if this one is enabled. Used #
31 # when the other list is a subset of this one. #
33 # The info and category fields are purely for documentation. #
35 ############################################################################
37 package IPblocklist::List;
39 our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist',
40 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt',
41 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules',
42 'parser' => 'ip-or-net-list',
44 'category' => 'composite',
45 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESSIVE', 'SPAMHAUS_DROP', 'DSHIELD'] },
46 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs',
47 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt',
48 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost',
49 'parser' => 'ip-or-net-list',
51 'category' => 'attacker' },
52 'SPAMHAUS_DROP' => { 'name' => "Spamhaus Don't Route or Peer List",
53 'url' => 'https://www.spamhaus.org/drop/drop.txt',
54 'info' => 'https://www.spamhaus.org/drop/',
55 'parser' => 'ip-or-net-list',
57 'category' => 'reputation' },
58 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List",
59 'url' => 'https://www.spamhaus.org/drop/edrop.txt',
60 'info' => 'https://www.spamhaus.org/drop/',
61 'parser' => 'ip-or-net-list',
63 'category' => 'reputation' },
64 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List',
65 'url' => 'https://www.dshield.org/block.txt',
66 'info' => 'https://dshield.org/',
67 'parser' => 'dshield',
69 'category' => 'attacker' },
70 'FEODO_RECOMMENDED'=> {'name' => 'Feodo Trojan IP Blocklist (Recommended)',
71 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt',
72 'info' => 'https://feodotracker.abuse.ch/blocklist',
73 'parser' => 'ip-or-net-list',
75 'category' => 'c and c' },
76 'FEODO_IP' => { 'name' => 'Feodo Trojan IP Blocklist',
77 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt',
78 'info' => 'https://feodotracker.abuse.ch/blocklist',
79 'parser' => 'ip-or-net-list',
81 'category' => 'c and c',
82 'disable' => 'FEODO_RECOMMENDED' },
83 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)',
84 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt',
85 'info' => 'https://feodotracker.abuse.ch/blocklist',
86 'parser' => 'ip-or-net-list',
88 'category' => 'c and c',
89 'disable' => ['FEODO_IP', 'FEODO_RECOMMENDED'] },
90 'CIARMY' => { 'name' => 'The CINS Army List',
91 'url' => 'https://cinsscore.com/list/ci-badguys.txt',
92 'info' => 'https://cinsscore.com/#list',
93 'parser' => 'ip-or-net-list',
95 'category' => 'reputation' },
96 'TOR_ALL' => { 'name' => 'Known TOR Nodes',
97 'url' => 'https://www.dan.me.uk/torlist',
98 'info' => 'https://www.dan.me.uk/tornodes',
99 'parser' => 'ip-or-net-list',
101 'category' => 'application',
102 'disable' => 'TOR_EXIT' },
103 'TOR_EXIT' => { 'name' => 'Known TOR Exit Nodes',
104 'url' => 'https://www.dan.me.uk/torlist/?exit',
105 'info' => 'https://www.dan.me.uk/tornodes',
106 'parser' => 'ip-or-net-list',,
108 'category' => 'application' },
109 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database',
110 'url' => 'https://reputation.alienvault.com/reputation.generic',
111 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation',
112 'parser' => 'ip-or-net-list',
114 'category' => 'reputation' },
115 'BOGON' => { 'name' => 'Bogus address list (Martian)',
116 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt',
117 'info' => 'https://www.team-cymru.com/bogon-reference.html',
118 'parser' => 'ip-or-net-list',
120 'category' => 'invalid' },
121 'BOGON_FULL' => { 'name' => 'Full Bogus Address List',
122 'url' => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt',
123 'info' => 'https://www.team-cymru.com/bogon-reference.html',
124 'parser' => 'ip-or-net-list',
126 'category' => 'invalid',
127 'disable' => 'BOGON' },
128 'SHODAN' => { 'name' => 'ISC Shodan scanner blocklist',
129 'url' => 'https://isc.sans.edu/api/threatlist/shodan?tab',
130 'info' => 'https://isc.sans.edu',
131 'parser' => 'ip-or-net-list',
133 'category' => 'scanner' },
134 'BLOCKLIST_DE' => { 'name' => 'Blocklist.de all attacks list',
135 'url' => 'https://lists.blocklist.de/lists/all.txt',
136 'info' => 'https://www.blocklist.de',
137 'parser' => 'ip-or-net-list',
139 'category' => 'attacker' }
projects / ipfire-2.x.git / blob