Table of Contents
Snort - Signatures and IPTables-List out of SSH - Blacklists
dogtown.mare-system.de provides a set of snort-rules (drop and/or alert) and iptables-block-scripts, compiled from different SSHBL-sources (see a list below). We release an actual tgz -archive in oinkmaster-format, updated every 6 hours.
PLEASE NOTE: WARRANTY REMOVED IN ANY CASE, USE AT YOUR OWN RISK
- these rules are still experimental, there's absolutely no QA or test, if a snort/suricata/iptables would load with these rules and scripts, and they should be used for testing purposes only.
News
- NEW: a cummulated list of know_bad IPs (IPs that show up in more than one blocklist-source) is now available; (see List of files included / known_bad.ip )
- NEW: We're exchanging data with Blocklist.de and incorporating the SSH-Blocklist into this set of Snort-Sigs and IPTables-Scripts.
List of Sources
- Blocklist.de provides a SSH-Blocklist and we included it into this set of Snort-Sigs and IPTables-Scripts.
- dogtown (MARE system R&D - labs) runs a set of sensors, collecting data for our own blocklist (SSH and Web-Attacks). We included output from these lists into the rulesets
- Team Cymru's Dragon Research Group releases a set of interesting Research-Papers, regarding SSH-Brute-Force, together with an Attacker-IP-List. We compile this list and publish a set uf Snort-Rules and an IPTABLES-script (see below for download)
- OpenBL.org (formerly known as sshbl.org) provides an actual list with IPs who tried brute-force or where denied access to ssh-accounts from different servers in USA and Germany.
Oinkmaster-TGZ (all .rules / iptables-lists included)
- Cummulated IP-List ( sort | uniq ): http://dogtown.mare-system.de/download/rules/blacklist.ip
List of files included
- blacklist.ip - cummulated IP-list ( sort | uniq )
- blacklist.modsec - cummulated list of IPs for import into modsec / squid etc
- known_bad.ip - list if IPs that show up in more than one list
- $PROVIDER-DROP.rules - snort-sigs with fwsam - drop included
- $PROVIDER.rules - snort-sigs- alert only
- $PROVIDER_iptables.list - iptables - block-rules (block whole IP)
- $PROVIDER_iptables-port22.list - iptables - block-rules (block IP@Port 22)
- all files have a md5-sum ($file.md5.txt) attached
Blocklist.de - Snort-Sigs
- recent IPs: http://dogtown.mare-system.de/download/rules/Blocklist.de.rules (NO_DROP)
Blocklist.de - IPTables-Script
- block all traffic: http://dogtown.mare-system.de/download/rules/Blocklist.de_iptables.list
- block traffic on port 22: http://dogtown.mare-system.de/download/rules/Blocklist.de_iptables-port22.list
Dogtown - Snort-Sigs
- recent IPs: http://dogtown.mare-system.de/download/rules/Dogtown.rules (NO_DROP)
Dogtown - IPTables-Script
- block all traffic: http://dogtown.mare-system.de/download/rules/Dogtown_iptables.list
- block traffic on port 22: http://dogtown.mare-system.de/download/rules/Dogtown_iptables-port22.list
DRG-Blacklist - Snort-Sigs
- recent IPs: http://dogtown.mare-system.de/download/rules/DRGBlacklist.rules (NO_DROP)
DRG-Blacklist - IPTables-Script
- block all traffic: http://dogtown.mare-system.de/download/rules/DRGBlacklist_iptables.list
- block traffic on port 22: http://dogtown.mare-system.de/download/rules/DRGBlacklist_iptables-port22.list
SSHBlacklist - Snort-Sigs
- recent 30days - IPs: http://dogtown.mare-system.de/download/rules/SSHBlacklist-DROP.rules
- recent 30days / NoDrop: http://dogtown.mare-system.de/download/rules/SSHBlacklist.rules
SSHBlacklist - IPTables-Script
- block all traffic: http://dogtown.mare-system.de/download/rules/SSHBlacklist-iptables.list
- block traffic on port 22: http://dogtown.mare-system.de/download/rules/SSHBlacklist-iptables-port22.list
snort/sshbl_rules.txt · Last modified: 2012/09/05 19:33 (external edit)