################################################################ # abuse.ch SSLBL Snort / Suricata Botnet C2 IP Ruleset # # Last updated: 2024-12-01 11:51:09 UTC # # # # Terms Of Use: https://sslbl.abuse.ch/blacklist/ # # For questions please contact sslbl [at] abuse.ch # ################################################################ # alert tcp $HOME_NET any -> [139.99.188.124] 56001 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200000; rev:1;) alert tcp $HOME_NET any -> [2.56.179.212] 4445 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200001; rev:1;) alert tcp $HOME_NET any -> [116.203.12.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200002; rev:1;) alert tcp $HOME_NET any -> [157.245.148.149] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200003; rev:1;) alert tcp $HOME_NET any -> [192.30.241.106] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200004; rev:1;) alert tcp $HOME_NET any -> [64.95.10.19] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200005; rev:1;) alert tcp $HOME_NET any -> [94.103.125.231] 2626 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200006; rev:1;) alert tcp $HOME_NET any -> [147.185.221.23] 37754 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200007; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 32471 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200008; rev:1;) alert tcp $HOME_NET any -> [87.120.117.69] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200009; rev:1;) alert tcp $HOME_NET any -> [185.208.159.79] 56001 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200010; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 57338 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200011; rev:1;) alert tcp $HOME_NET any -> [92.255.57.151] 2012 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200012; rev:1;) alert tcp $HOME_NET any -> [179.43.171.196] 5982 (msg:"SSLBL: Traffic to malicious host (likely Rhadamanthys C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200013; rev:1;) alert tcp $HOME_NET any -> [185.196.9.94] 56002 (msg:"SSLBL: Traffic to malicious host (likely RustyStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200014; rev:1;) alert tcp $HOME_NET any -> [172.81.130.139] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureCrypter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200015; rev:1;) alert tcp $HOME_NET any -> [154.83.15.5] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200016; rev:1;) alert tcp $HOME_NET any -> [14.128.14.7] 3232 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200017; rev:1;) alert tcp $HOME_NET any -> [45.95.214.119] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200018; rev:1;) alert tcp $HOME_NET any -> [95.179.135.209] 1989 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200019; rev:1;) alert tcp $HOME_NET any -> [45.141.215.18] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200020; rev:1;) alert tcp $HOME_NET any -> [5.75.213.159] 443 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200021; rev:1;) alert tcp $HOME_NET any -> [148.113.192.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Havoc C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200022; rev:1;) alert tcp $HOME_NET any -> [45.149.241.140] 7771 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200023; rev:1;) alert tcp $HOME_NET any -> [45.10.151.182] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200024; rev:1;) alert tcp $HOME_NET any -> [185.241.208.156] 8080 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200025; rev:1;) alert tcp $HOME_NET any -> [45.147.46.188] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200026; rev:1;) alert tcp $HOME_NET any -> [65.109.243.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200027; rev:1;) alert tcp $HOME_NET any -> [93.123.109.195] 1987 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200028; rev:1;) alert tcp $HOME_NET any -> [79.110.49.79] 5829 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200029; rev:1;) alert tcp $HOME_NET any -> [87.120.117.209] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200030; rev:1;) alert tcp $HOME_NET any -> [194.87.54.176] 2011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200031; rev:1;) alert tcp $HOME_NET any -> [79.110.49.113] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200032; rev:1;) alert tcp $HOME_NET any -> [194.59.31.47] 1960 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200033; rev:1;) alert tcp $HOME_NET any -> [193.124.205.71] 5228 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200034; rev:1;) alert tcp $HOME_NET any -> [45.95.214.119] 1604 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200035; rev:1;) alert tcp $HOME_NET any -> [162.230.48.189] 56001 (msg:"SSLBL: Traffic to malicious host (likely XWorm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200036; rev:1;) # END (37) entries