BBC_C2 added www.netgate.com / docs.netgate.com
-
208.123.73.73,IP used by qsnatch C&C,2020-10-05 18:13,http://osint.bambenekconsulting.com/manual/qsnatch.txt
This is ridiculous...deleting BBC_C2_v4 and ISC_1000_30_v4 now, feels like they are just adding random IPs.-Rico
-
@Rico said in BBC_C2 added www.netgate.com / docs.netgate.com:
This is ridiculous...deleting BBC_C2_v4
forget the pfSense feed (BBC_C2_v4)
From John Bambenek... (by email)
DGA feeds are:
Full list of DGA domains
- https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz (dga-feed.gz includes low and medium confidence data also)
Resolution data for DGA domains that are resolving and not whitelisted (note dga subdirectory):
- https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt
(c2-masterlist.txt for low and medium confidence data also).
- https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist-high.txt (for the IP list).
If you are using pfSense or another script to download this, you need to include the username and
password in the URL. The @ in the email for your username needs to be replaced by %40. For instance.
if your email is myemail@gmail.com the URL you would use for the IP lists is:https://myemail%40gmail.com:YOURPASSWORD@faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt
the way is:
https://docs.google.com/forms/d/1rcLFEfSmo09lPQM8YT4VU3ixTwZ-1lK_0G5R3wk5oJY/ -
Im talking about
https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist-high.txt...
208.123.73.73 is removed now though.-Rico
-
@Rico said in BBC_C2 added www.netgate.com / docs.netgate.com:
Im talking about
Sorry...
Oh yeah, these are trusted lists ...Lists of firewall logs from individuals (anyone) are uploaded here:
https://isc.sans.edu/
(I think full of FP like a couple of weeks ago 8.8.8.8)Bambenek Consulting is slightly better, how do they add Netgate IP?
who knows? -
@DaddyGo said in BBC_C2 added www.netgate.com / docs.netgate.com:
Lists of firewall logs from individuals (anyone) are uploaded here:
https://isc.sans.edu/
(I think full of FP like a couple of weeks ago 8.8.8.8)haha and 1.1.1.1 was blocked about a week before that.
-
This is that list that went private, I wonder if this is why the list now seems pulled, either my access got revoked or its been pulled, I sent an email to the maintainer but the email got blocked by Microsoft's over zealous filter, so now thats waiting for Microsoft to delist my mail server ip.
I can access list via http auth, so I think there is just an issue with the url auth system, but it is a concern they managed to put such a big false positive on there though.
pfSense CE 2.7.2
-
@Raffi_ said in BBC_C2 added www.netgate.com / docs.netgate.com:
haha and 1.1.1.1 was blocked about a week before that.
Yep,
there are a lot of crazy lists and I use CloudFlare so 1.1.1.1 and 1.0.0.1 are on constant whitelist, hahahahabtw:
and pfBlockerNG does its job and I donβt like to wake up with no DNS -
@chrcoluk said in BBC_C2 added www.netgate.com / docs.netgate.com:
This is that list that went private,
bambenekconsulting.com - yes
here you reach the maintainer, he answers in a few days
https://docs.google.com/forms/d/1rcLFEfSmo09lPQM8YT4VU3ixTwZ-1lK_0G5R3wk5oJY/I wouldn't use this: https://isc.sans.edu/
perhaps after a thorough examination: BBC2_v4 -
Right now I have the few pri1 I have enabled as permit/logged, I will be checking logs to see if any legit traffic from matched ip's.
