OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: nzkiwi68 on June 21, 2020, 01:48:42 am
-
I've been a long time fan of Spamhaus and they offer a high quality Botnet block list in Snort format.
I've converted to OPNsense and I am loving it, very cool.
*** How can I add the Spamhaus Snort BCL list to OPNsense?
I can't see anyway to add my own custom rule set to be downloaded.
References;
https://www.spamhaus.org/bcl/ (https://www.spamhaus.org/bcl/)
https://www.spamhaustech.com/ (https://www.spamhaustech.com/)
First 2 lines snip from the download URL;
################################################################
# Spamhaus Botnet Controller List (BCL) (2006202330) #
# Last updated: 2020-06-20T23:30:02Z #
# #
# For questions please refer to https://www.spamhaus.org/bcl/ #
################################################################
alert tcp $HOME_NET any -> 1.234.108.31 any (msg:"Spamhaus Botnet C&C List: njrat botnet controller [SBL487201]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL487201; classtype:trojan-activity; sid:900487201; rev:1;)
alert tcp $HOME_NET any -> 2.56.8.117 any (msg:"Spamhaus Botnet C&C List: AZORult botnet controller [SBL480199]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL480199; classtype:trojan-activity; sid:900480199; rev:1;)
Example of the download URL;
(with the actual account name and API key changed for privacy)
https://pub-api.spamhaus.org/api/snort/?account=xxxxxxxxxx&key=yyyyyyyyyyyy
-
I followed this post;
https://forum.opnsense.org/index.php?topic=7209.0 (https://forum.opnsense.org/index.php?topic=7209.0)
But, it didn't work and doesn't add the custom rules.
-
I just want to follow this in case someone gets it working.
-
I just want to follow this in case someone gets it working.
+1
-
Any update about it ? :o