Blacklist
SSLBL offers offers various blacklists in different formats for different purposes. The blacklists are documented below.
SSL Certificate Blacklist (CSV)
The SSL Certificate Blacklist (CSV) is a CSV that contains SHA1 Fingerprint of all SSL certificates blacklisted on SSLBL. This format is useful if you want to process the blacklisted SSL certificate further, e.g. loading them into your SIEM. The CSV contains the following values:
- Listing date (UTC)
- SHA1 Fingerprint of the blacklisted SSL certificate
- Listing reason
The SSL Certificate Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Suricata SSL Certificate Ruleset
Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata SSL Certificate Ruleset to detect and/or block malicious SSL connections in your network based on the SSL certificate fingerprint.
Download IDS Ruleset (Suricata 1.4 or newer)
Download IDS Ruleset (Suricata 1.4 or newer) - tar.gz
In addition, SSLBL provides a more performant Suricata ruleset that uses tls_cert_fingerprint instead of tls.fingerprint. Please use either the ruleset above (sslblacklist.rules) OR sslblacklist_tls_cert.rules from below. Do not use both of them at the same time.
The Suricata SSL Certificate Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Note
In order to use the more perfomant Suricata ruleset avilable for download below, you must run Suricata 4.1.0 or newer. The ruleset will not work with any Suricata version prior 4.1.0. If you are running a version of Suricata older than 4.1.0, please use the ruleset above this box.
Botnet C2 IP Blacklist (CSV)
An SSL certificate can be associated with one or more servers (IP address:port combination). SSLBL collects IP addresses that are running with an SSL certificate blacklisted on SSLBL. These are usually botnet Command&Control servers (C&C). SSLBL hence publishes a blacklist containing these IPs which can be used to detect botnet C2 traffic from infected machines towards the internet, leaving your network. The CSV format is useful if you want to process the blacklisted IP addresses further, e.g. loading them into your SIEM. The CSV contains the following values:
- Firstseen(UTC)
- Destination IP (DstIP)
- Destination Port (DstPort)
The Botnet C2 IP Blacklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Note
As IP addresses are getting recycled and reused, this blacklist only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).
If you want to fetch a comprehensive list of all IP addresses that SSLBL has ever seen, please use the CSV provided below.
Caution!
I strongly recommend you to not use the aggressive version of the Botnet C2 IP blacklist as it definitely will cause false positives. If you want to reduce the amount of false positives, use the blacklist above this box. If you want to get maximum protection and don't care about false positives, use the blacklist below this box (not recommended).
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).
Suricata Botnet C2 IP Ruleset
Unlike SSLBL's Suricata SSL Certificate Ruleset, the Suricata Botnet C2 IP Ruleset can be used with both, Suricata and Snort. The ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).
The Suricat Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Note
As IP addresses are getting recycled and reused, this ruleset only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
Download IDS Ruleset (Suricata and Snort)
Download IDS Ruleset (Suricata and Snort) - tar.gz
If you want to fetch a comprehensive ruleset of all IP addresses that SSLBL has ever seen, please use the ruleset provided below.
Caution!
I strongly recommend you to not use the aggressive ruleset of the Botnet C2 IP list as it definitely will cause false positives. If you want to reduce the amount of false positives, use the ruleset above this box. If you want to get maximum protection and don't care about false positives, use the ruleset below this box (not recommended).
Botnet C2 DNS Response Policy Zone (RPZ)
By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can block the resolution of certain domain names on your DNS resolver. The SSLBL RPZ contains IP addresses that are running with an SSL certificate blacklisted on SSLBL. By using the SSLBL RPZ, any domain names resolving to such IP addresses will be blocked, sinkholed or logged (depending on your DNS configuration). More information about DNS RPZ can be found on dnsrpz.info.
The Botnet C2 DNS RPZ gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Note
As IP addresses are getting recycled and reused, the SSLBL RPZ only contains IP addresses that have been see to be associated with malicious SSL certificate in past 30 days. The false positive rate for this blacklist should therefore be low.
JA3 Fingerprint Blacklist (CSV)
JA3 is an open source tool used to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware and botnet C2 traffic that is leveraging SSL/TLS. The CSV format is useful if you want to process the JA3 fingerprints further, e.g. loading them into your SIEM. The CSV contains the following values:
- JA3 Fingerprint
- First seen (UTC)
- Last seen (UTC)
- Listing reason
The JA3 Fingerprint Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Caution!
The JA3 fingerprints blacklisted on SSLBL have been collected by analysing more than 25,000,000 PCAPs generated by malware samples. These fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!Suricata JA3 Fingerprint Ruleset
Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.
The Suricata JA3 Fingerprint Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Caution!
The JA3 fingerprints blacklisted on SSLBL have been collected by analysing more than 25,000,000 PCAPs generated by malware samples. These fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!Terms of Services (ToS)
By using the website of SSLBL, or any of the services / datasets referenced above, you agree that:
- All datasets offered by SSLBL can be used for both, commercial and non-commercial purpose without any limitations (CC0)
- Any data offered by SSLBL is served as it is on best effort
- SSLBL can not be held liable for any false positive or damage caused by the use of the website or the datasets offered above