On 10/14/2016 10:30 AM, Nicola Piazzi wrote:
ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link :
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
It is very simple to make a shell script that check file changes every hour,
download if there is a new one, and write a rule .cf using data contained in
the file.
But hor to write a rule ?
We have more than 4000 URI in the file, we can do a single rule like this
separating URIs with | :
uri URIRAMS
/http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\/hjy93JNBasdas/
describe URIRAMS Match a Ramsonware URI
score URIRAMS 5.00
or is better to separe each URI :
uri __URIRAMS00001 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/
uri __URIRAMS00002 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/
meta URIRAMS (__URIRAMS00001 | __URIRAMS00002)
describe URIRAMS Match a Ramsonware URI
score URIRAMS 5.00
Obviously this example is related to 2 entries, and we have 4000 entries here
.....
Any suggestion ?
performacewise best is to use a domain list in a local instance of
rbldnsd. Sadly abuse.ch only publishes subdomain.example.net instead of
example.net so you'd have to do some scripted editing to remove the
subdomain.
if you want to use static rules, base them on
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt,
use __URI_BLAH and meta them together.
