New rules category for SSL Black List

Just added this to my fw_upgrade sh batch file in the update rules section:

        curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules


Info from their website (https://sslbl.abuse.ch ):

SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section.

After adding, I ran fw_upgrade and everything worked as expected and finished without error messages.

Nice find, added and now problems found.

Roadrunnere42

Just added to my ruleset, thank you!

Just noticed at https://sslbl.abuse.ch/blacklist/  that it mentions that the Dyre C&C botnet is a separate list so add this one too:

curl -k -1 -m 40 -o /tmp/ramdisk/abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules


Note that depending on which version udpate script you are on change tmp to mnt

user8446 wrote

Just noticed at https://sslbl.abuse.ch/blacklist/  that it mentions that the Dyre C&C botnet is a separate list so add this one too:

curl -k -1 -m 40 -o /tmp/ramdisk/abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules


Note that depending on which version udpate script you are on change tmp to mnt

Thank you! Updated!

Guys,

Any chance you could give a brief how-to to apply these updates? Just a little bit more detail would be great.

Thanks in advance

How to change which snort rules to use.

In the folder sbin you will see the fw_upgrade script which every night goes and download and upgrade with the latest snort rules and web filter rules.

Using either winscp  or the command prompt in linux which every you prefer to open and edit files.

Open the file fw_upgrade (sbin/fw_upgrade) and scroll down till you see  the following, as you can see if the line begins with # this means that its a commented out and the line is ignored when run. Each line that begins with curl is a snort rules set, the first 16 lines are what was the original sets that itus had set up, below these line are a  few comments explaining what the new rule suggested by wisiwyg does and then the new rule
set curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules

just copy and paste in file as I have below, save file, then rule fw_upgrade either in command line sh /sbin/fw_upgrade or via gui (status -->
itus setting --> upgrade shield)

if you what to disable a rule set just put a # at the begin of the line.
The rule set  # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules ,if you decide to uncomment it so that it becomes active then you have to modified the snort conf files  because of the number of rules contained in that set will crash snort

echo "Starting SNORT rule download..."
        curl -k -1 -m 40 -o /tmp/ramdisk/botcc.portgrouped.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.portgrouped.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/botcc.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/ciarmy.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-ciarmy.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/compromised.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-compromised.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/dshield.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-dshield.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-exploit.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-exploit.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-malware.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-malware.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-mobile_malware.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-mobile_malware.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-user_agents.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-user_agents.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_client.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_client.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-worm.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-worm.rules
        curl -k -1 -m 40 -o /tmp/ramdisk/emerging-current_events.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-current_events.rules
# curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules
#      curl -k -1 -m 40 -o /tmp/ramdisk/drop.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-drop.rules
# curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_specific_apps.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_specific_apps.rules
# curl -k -1 -m 40 -o /tmp/ramdisk/emerging-scan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-scan.rules

# new rule site as suggested SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified
# by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates
# and offers various blacklists that can found in the SSL Blacklist section.
      curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules

 
echo " "
echo "Working on snort rules, please wait... may take up to a minute"



Hope this helps

Roadrunnere42

Roadrunnere42 - thanks so much, this really helps.

edit: Successfully Added the two entries above, thanks for the explanation.