################################################################ # abuse.ch SSLBL Snort / Suricata Botnet C2 IP Ruleset # # Last updated: 2024-04-17 18:50:38 UTC # # # # Terms Of Use: https://sslbl.abuse.ch/blacklist/ # # For questions please contact sslbl [at] abuse.ch # ################################################################ # alert tcp $HOME_NET any -> [65.109.242.73] 443 (msg:"SSLBL: Traffic to malicious host (likely zgRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200000; rev:1;) alert tcp $HOME_NET any -> [45.32.168.59] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200001; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200002; rev:1;) alert tcp $HOME_NET any -> [157.90.25.39] 5432 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200003; rev:1;) alert tcp $HOME_NET any -> [49.13.149.204] 9000 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200004; rev:1;) alert tcp $HOME_NET any -> [65.109.242.131] 443 (msg:"SSLBL: Traffic to malicious host (likely MarsStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200005; rev:1;) alert tcp $HOME_NET any -> [195.201.47.150] 5432 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200006; rev:1;) alert tcp $HOME_NET any -> [45.11.229.96] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200007; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9899 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200008; rev:1;) alert tcp $HOME_NET any -> [51.79.171.174] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200009; rev:1;) alert tcp $HOME_NET any -> [185.125.50.121] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200010; rev:1;) alert tcp $HOME_NET any -> [91.92.241.169] 3434 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200011; rev:1;) alert tcp $HOME_NET any -> [45.88.186.209] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200012; rev:1;) alert tcp $HOME_NET any -> [16.171.25.219] 8099 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200013; rev:1;) alert tcp $HOME_NET any -> [162.230.48.189] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200014; rev:1;) alert tcp $HOME_NET any -> [95.217.42.84] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200015; rev:1;) alert tcp $HOME_NET any -> [144.217.189.92] 3000 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200016; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200017; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 4787 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200018; rev:1;) alert tcp $HOME_NET any -> [217.63.234.90] 1313 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200019; rev:1;) alert tcp $HOME_NET any -> [91.92.243.85] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200020; rev:1;) alert tcp $HOME_NET any -> [194.62.248.64] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200021; rev:1;) alert tcp $HOME_NET any -> [45.157.69.156] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200022; rev:1;) alert tcp $HOME_NET any -> [172.94.105.163] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200023; rev:1;) alert tcp $HOME_NET any -> [51.142.10.24] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:904200024; rev:1;) # END (25) entries