SSLBL Suricata Ruleset

peppetech · 17 July 2025 22:46

Looks dead as well as the rest of the SSLBL.

This was the last source to go for the SSLBL Blocklist.

There haven’t been any updates since June 25

################################################################
# abuse.ch Suricata IDS SSL Certificate Ruleset                #
# For Suricata 4.1.0 or newer                                  #
# Last updated: 2025-06-25 06:50:28 UTC                        #
#                                                              #
# Terms Of Use: https://sslbl.abuse.ch/blacklist/              #
# For questions please contact sslbl [at] abuse.ch             #
################################################################
#
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"SSLBL: Malicious SSL certificate detected (Shylock C&C)";

ms · 18 July 2025 10:02

It sadly looks like this.

@bonnietwin, would you like to submit a patch to remove this from our list?

bloater99 · 18 July 2025 10:25

Their resource page seems still active. Maybe something temporary is going on?

bonnietwin · 18 July 2025 13:22

Will do so when i am back home.

bonnietwin · 18 July 2025 13:23

Will do so when i am back home.

bonnietwin · 18 July 2025 13:26

Sorry for the double post.

The wifi quality here is terrible. Keeps stopping then restarting.

bonnietwin · 18 July 2025 13:50

They had previously another list that was not updated for many weeks but the web site still said it was being updated many times per day.

When i have emailed them about these sorts of issues, i never ever got any reply.

Feel free to contact them. Maybevyou will have more luck than me.

hvacguy · 18 July 2025 20:46

Looks like they may have gone closed source. With there new relation ship with AWS.
It seams this is becoming more common.
Which us very disappointing.

dauphin · 18 July 2025 21:50

Disappointing to see yet another project drifting closed source,especially with that shiny new AWS partnership. Sad day for the open source community.

The Suricata lads, though? They’ve been quietly waiting for this moment like it’s game day

bonnietwin · 18 July 2025 22:13

Just had a look at all the lists on the Abus.ch SSL blacklist page. All of them are either listed as deprecated or haven’t been updated for some time. None of the lists on that page have been recently updated.

SSL Certificate Blacklist (CSV)                    last updated on 2025-06-25
Suricata SSL Certificate Ruleset                   last updated on 2025-06-25
Botnet C2 IP Blacklist (CSV)                      deprecated on 2025-01-03
Suricata Botnet C2 IP Ruleset                     deprecated on 2025-01-03
Botnet C2 DNS Response Policy Zone (RPZ)          deprecated on 2025-02-28
JA3 Fingerprint Blacklist (CSV)                   last updated on 2021-08-03
Suricata JA3 Fingerprint Ruleset                  last updated on 2021-08-03

Basically all the lists from Abuse.ch are no longer supported.

Abuse.ch are now part of Spamhaus and the Abuse.ch offerring from Spamhaus is for Real Time Threat intelligence feeds for which you have to pay.

As far as I can see Spamhaus now charge for all their services except for the DROP list.

ms · 19 July 2025 15:32

I agree. We will need to remove all lists. I thought the SSLBL was the last one that we were using.

bonnietwin · 20 July 2025 08:21

Yes it is.

I just had a look to see if anything is still valid and found it is all no longer valid, some of them since 2021.

Basically there is now an abuse.ch web site that has no lists still being updated or some even without any contents now but no mention anywhere on the web page.

Really a poor support situation.

peppetech · 23 July 2025 17:26

Yes, the founder of abuse CH “sold out”
I think his name is Roman. To his credit, he put a lot of effort into fighting malware and phishing and getting results.

and Yes, pretty much most of abuse.ch lists were discontinued but these are still active and functional:

FEODOTRACKER - empty for a good reason

https://feodotracker.abuse.ch/downloads/feodotracker_aggressive.rules
https://feodotracker.abuse.ch/downloads/feodotracker.rules
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

this ruleset / blocklist happens to be empty right now but only because the authorities started doing their job. Just lookup Operation Endgame.

URLHAUS (I get occasional timeout 3-4 times a month but it is working sofar)

https://urlhaus.abuse.ch/downloads/ids/
https://urlhaus.abuse.ch/downloads/rpz/

THREATFOX - still a very large database (will eat most of your RAM)
https://threatfox.abuse.ch/downloads/threatfox_suricata.rules
https://threatfox.abuse.ch/downloads/threatfox.rpz

bonnietwin · 23 July 2025 18:48

The aggressive rules should not be used. They were removed from IPFire a while back.
This is a file that contains every botnet that has ever been detected by Feodo since they started tracking, including all botnets that no longer exist because the users re-installed their systems. So it has a huge false positive rate.

The feodotracker rules is a list of all botnets that were active in the last 30 days. So there can again be a high false positive rate as withing 30 days the botnets could be taken down or the users of the systems realise they are infected and re-install. Again removed from IPFire at the same time as the aggressive ruleset.

The recommended feodo rules list contains botnets that have been active in the last few hours. False positive rate pretty low. It can be empty and from CU196 omwards the IDS will accept empty rulesets, so that users don’t end up with an out of date ruleset because the replacement was not uploaded due to being empty.

This is not used in IPFire.
Looking at the contents and as abuse.ch is part of spamhaus now, it is not clear to me why the IP’s that they list are not in the DROP list from spamhaus. Some of them are but some of them are not.
The more sensible thing would be for spamhaus to merge the urlhaus list into the DROP list unless they have concerns about the false positive rate.

I added the threatfox rules to my IPFire system and even after 15 minutes the memory stabilised at around 1.8GB compared to 400MB before but that still left me with 80% of my memory free. So I can’t replicate the “most of RAM being used up” scenario. My system has 8GB RAM.

bloater99 · 23 July 2025 18:59

I agree. I use 5 different rulesets including Threatfox and the IPS has never gotten over about 2.7GB on my 8GB system.

peppetech · 3 August 2025 17:58

I agree, I included the aggressive list just to compare with the recommended list. You can see how it looked before and after Operation Endgame.

These are not IP’s necessarily, but URL’s. This list is also available just as a list of domains. If you check the RPZ addon thread that Jon created, it is a decent RPZ list to use.. This might be helpful mitigating some of the “fast-flux” techniques.

using 8 GB of RAM must be amazing,

peppetech · 3 August 2025 18:18

Who ever runs the abuse lists finally posted a clarification on their blog - pretty much confirming that we need to pay to play.

Who will have to pay to access the data?

Spamhaus Technology is making the abuse.ch data available to organizations that are NOT making significant contributions to the community, but are deriving commercial gain from the use of this data. And yes, a cost will be associated with accessing these feeds. Users of the paid version of the data will get additional benefits such as unified APIs, including access to technical documentation and more efficient false positive remediation.

Meanwhile, if you contribute data, you will be able to access the data for free.