Blacklist

SSLBL offers offers various blacklists in different formats for different purposes. The blacklists are documented below.

SSL Certificate Blacklist (CSV) Suricata SSL Certificate Ruleset Botnet C2 IP Blacklist (CSV) Suricata Botnet C2 IP Ruleset Botnet C2 IP DNS Response Policy Zone (RPZ) JA3 Fingerprint Blacklist (CSV) Suricata JA3 Fingerprint Ruleset Terms of Services

SSL Certificate Blacklist (CSV)


The SSL Certificate Blacklist (CSV) is a CSV that contains SHA1 Fingerprint of all SSL certificates blacklisted on SSLBL. This format is useful if you want to process the blacklisted SSL certificate further, e.g. loading them into your SIEM. The CSV contains the following values:

The SSL Certificate Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download CSV

Suricata SSL Certificate Ruleset


Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata SSL Certificate Ruleset to detect and/or block malicious SSL connections in your network based on the SSL certificate fingerprint.

Download IDS Ruleset (Suricata 1.4 or newer)

Download IDS Ruleset (Suricata 1.4 or newer) - tar.gz

In addition, SSLBL provides a more performant Suricata ruleset that uses tls_cert_fingerprint instead of tls.fingerprint. Please use either the ruleset above (sslblacklist.rules) OR sslblacklist_tls_cert.rules from below. Do not use both of them at the same time.

The Suricata SSL Certificate Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download IDS Ruleset (Suricata 4.1.0 or newer)

Download IDS Ruleset (Suricata 4.1.0 or newer) - tar.gz

Botnet C2 IP Blacklist (CSV)


An SSL certificate can be associated with one or more servers (IP address:port combination). SSLBL collects IP addresses that are running with an SSL certificate blacklisted on SSLBL. These are usually botnet Command&Control servers (C&C). SSLBL hence publishes a blacklist containing these IPs which can be used to detect botnet C2 traffic from infected machines towards the internet, leaving your network. The CSV format is useful if you want to process the blacklisted IP addresses further, e.g. loading them into your SIEM. The CSV contains the following values:

The Botnet C2 IP Blacklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download CSV

In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).

Download IPs only

If you want to fetch a comprehensive list of all IP addresses that SSLBL has ever seen, please use the CSV provided below.

Download CSV (Aggressive)

In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs identified by SSLBL as a list of Indicator Of Compromise (IOC).

Download IPs only (Aggressive)

Suricata Botnet C2 IP Ruleset


Unlike SSLBL's Suricata SSL Certificate Ruleset, the Suricata Botnet C2 IP Ruleset can be used with both, Suricata and Snort. The ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

The Suricat Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download IDS Ruleset (Suricata and Snort)

Download IDS Ruleset (Suricata and Snort) - tar.gz

If you want to fetch a comprehensive ruleset of all IP addresses that SSLBL has ever seen, please use the ruleset provided below.

Download IDS Ruleset (Aggressive)

Download IDS Ruleset (Aggressive) - tar.gz

Botnet C2 DNS Response Policy Zone (RPZ)


By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can block the resolution of certain domain names on your DNS resolver. The SSLBL RPZ contains IP addresses that are running with an SSL certificate blacklisted on SSLBL. By using the SSLBL RPZ, any domain names resolving to such IP addresses will be blocked, sinkholed or logged (depending on your DNS configuration). More information about DNS RPZ can be found on dnsrpz.info.

The Botnet C2 DNS RPZ gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download RPZ

JA3 Fingerprint Blacklist (CSV)


JA3 is an open source tool used to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware and botnet C2 traffic that is leveraging SSL/TLS. The CSV format is useful if you want to process the JA3 fingerprints further, e.g. loading them into your SIEM. The CSV contains the following values:

The JA3 Fingerprint Blacklist (CSV) gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download JA3 Fingerprints

Suricata JA3 Fingerprint Ruleset


Suricata is an Open Source Network Intrustion Detection / Prevention System (IDS/IPS). If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.

The Suricata JA3 Fingerprint Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download JA3 IDS Ruleset (Suricata 4.1.0 or newer)

Download JA3 IDS Ruleset (Suricata 4.1.0 or newer) - tar.gz

Terms of Services (ToS)


By using the website of SSLBL, or any of the services / datasets referenced above, you agree that: