SSL Blacklist

SSLBL offers various types of blacklists that allows you to block bad SSL traffic related to malware or botnet activities (e.g. botnet C&C traffic). Some blacklists rely on SHA1 fingerprints of malicious SSL certificates and IPs associated with these. The available SSL blacklists are documented below. Note: The SSL blacklists are getting updated every 15 minutes, so please do not fetch the blacklist more often than every 15 minutes.

Plain-Text SSL Fingerprint Blacklist (CSV)

The SSL IP Blacklist (CSV) contains all blacklisted SSL certificate fingerprints (SHA-1). In addition, it provides other useful information like Timestamp of listing (UTC) and Listing reason.

download download SSL Fingerprint Blacklist (CSV)

Suricata SSL Fingerprint Blacklist

Suricata is an open source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the Suricata SSL Fingerprint Blacklist to detect and block bad SSL connections in your network.

download download SSL Fingerprint Blacklist (Suricata Rules)

Note: Unfortunately, Snort is not supporting SSL fingerprinting at the moment. Hence this blacklist is currently only available for Suricata.

Plain-Text SSL IP Blacklist (CSV)

The SSL IP Blacklist (CSV) contains all hosts (IP addresses) that SSLBL has seen in the past 30 days being associated with a malicious SSL certificate. The CSV contains IP address and port number of malicious SSL hosts.

download download SSL IP Blacklist (CSV)

Plain-Text SSL IP Blacklist - Aggressive (CSV)

The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.

download download SSL IP Blacklist - Aggressive (CSV)

Suricata / Snort SSL IP Blacklist

The Suricata / Snort SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has seen in the past 30 days being associated with a malicious SSL certificate. If you are running either Suricata or Snort, you can use the SSL IP Blacklist Suricata / Snort Ruleset to detect and block bad SSL connections in your network.

download download Suricata / Snort SSL IP Blacklist

Suricata / Snort SSL IP Blacklist - Aggressive

The aggressive version of the Suricata / Snort SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.

download download Suricata / Snort SSL IP Blacklist - Aggressive

Dyre C&C SSL Blacklists

In July 2015, I had to split SSL certificates related to Dyre botnet C&C off of the main SSL Blacklists. More information are available here. The Dyre SSL blacklists can be found below.

ATTENTION: Since there are tens of thousands of malicious Dyre SSL certificates around, you should use the blocklists provided below with caution since they may overload your hardware equipment and / or tools.

download download Dyre SSL Fingerprint Blacklist (CSV)

download download Dyre SSL Fingerprint Blacklist (Suricata Rules)

download download Dyre SSL IP Blacklist (CSV)

download download Dyre SSL IP Blacklist - Aggressive (CSV)

download download Dyre Suricata / Snort SSL IP Blacklist

download download Dyre Suricata / Snort SSL IP Blacklist - Aggressive

download download Dyre SSL Certificates (Common Names)

Terms Of Use

As for all abuse.ch projects, the use of the SSL Blacklist is free for both commercial and non-commercial usage without any limitation. However, if you are a commercial vendor of security software/services and you want to integrate data from the SSL Blacklist into your products / services, you will have to ask for permission first by contacting me using the contact form.