Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BBC_C2 added www.netgate.com / docs.netgate.com

    Scheduled Pinned Locked Moved pfBlockerNG
    9 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RicoR
      Rico LAYER 8 Rebel Alliance
      last edited by

      208.123.73.73,IP used by qsnatch C&C,2020-10-05 18:13,http://osint.bambenekconsulting.com/manual/qsnatch.txt
      This is ridiculous...deleting BBC_C2_v4 and ISC_1000_30_v4 now, feels like they are just adding random IPs.

      -Rico

      DaddyGoD 1 Reply Last reply Reply Quote 3
      • DaddyGoD
        DaddyGo @Rico
        last edited by DaddyGo

        @Rico said in BBC_C2 added www.netgate.com / docs.netgate.com:

        This is ridiculous...deleting BBC_C2_v4

        forget the pfSense feed (BBC_C2_v4) πŸ˜‰

        From John Bambenek... (by email)

        DGA feeds are:

        Full list of DGA domains

        • https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz (dga-feed.gz includes low and medium confidence data also)

        Resolution data for DGA domains that are resolving and not whitelisted (note dga subdirectory):

        • https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt

        (c2-masterlist.txt for low and medium confidence data also).

        • https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist-high.txt (for the IP list).

        If you are using pfSense or another script to download this, you need to include the username and
        password in the URL. The @ in the email for your username needs to be replaced by %40. For instance.
        if your email is myemail@gmail.com the URL you would use for the IP lists is:

        https://myemail%40gmail.com:YOURPASSWORD@faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt

        the way is:
        https://docs.google.com/forms/d/1rcLFEfSmo09lPQM8YT4VU3ixTwZ-1lK_0G5R3wk5oJY/

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        1 Reply Last reply Reply Quote 0
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by

          Im talking about https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist-high.txt...
          208.123.73.73 is removed now though.

          -Rico

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @Rico
            last edited by

            @Rico said in BBC_C2 added www.netgate.com / docs.netgate.com:

            Im talking about

            Sorry...
            Oh yeah, these are trusted lists ...

            Lists of firewall logs from individuals (anyone) are uploaded here:
            https://isc.sans.edu/
            (I think full of FP like a couple of weeks ago 8.8.8.8)

            Bambenek Consulting is slightly better, how do they add Netgate IP?
            who knows?

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            Raffi_R 1 Reply Last reply Reply Quote 0
            • Raffi_R
              Raffi_ @DaddyGo
              last edited by

              @DaddyGo said in BBC_C2 added www.netgate.com / docs.netgate.com:

              Lists of firewall logs from individuals (anyone) are uploaded here:
              https://isc.sans.edu/
              (I think full of FP like a couple of weeks ago 8.8.8.8)

              haha and 1.1.1.1 was blocked about a week before that.

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • C
                chrcoluk
                last edited by chrcoluk

                This is that list that went private, I wonder if this is why the list now seems pulled, either my access got revoked or its been pulled, I sent an email to the maintainer but the email got blocked by Microsoft's over zealous filter, so now thats waiting for Microsoft to delist my mail server ip.

                I can access list via http auth, so I think there is just an issue with the url auth system, but it is a concern they managed to put such a big false positive on there though.

                pfSense CE 2.8.0

                DaddyGoD 1 Reply Last reply Reply Quote 0
                • DaddyGoD
                  DaddyGo @Raffi_
                  last edited by

                  @Raffi_ said in BBC_C2 added www.netgate.com / docs.netgate.com:

                  haha and 1.1.1.1 was blocked about a week before that.

                  Yep,
                  there are a lot of crazy lists and I use CloudFlare so 1.1.1.1 and 1.0.0.1 are on constant whitelist, hahahaha πŸ˜‰

                  btw:
                  and pfBlockerNG does its job and I don’t like to wake up with no DNS

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  1 Reply Last reply Reply Quote 1
                  • DaddyGoD
                    DaddyGo @chrcoluk
                    last edited by

                    @chrcoluk said in BBC_C2 added www.netgate.com / docs.netgate.com:

                    This is that list that went private,

                    bambenekconsulting.com - yes

                    here you reach the maintainer, he answers in a few days
                    https://docs.google.com/forms/d/1rcLFEfSmo09lPQM8YT4VU3ixTwZ-1lK_0G5R3wk5oJY/

                    I wouldn't use this: https://isc.sans.edu/
                    perhaps after a thorough examination: BBC2_v4

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    1 Reply Last reply Reply Quote 0
                    • C
                      chrcoluk
                      last edited by

                      Right now I have the few pri1 I have enabled as permit/logged, I will be checking logs to see if any legit traffic from matched ip's.

                      pfSense CE 2.8.0

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.