SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and IPs associated with these.
The SSL IP Blacklist (CSV) contains all hosts (IP addresses) that SSLBL has seen in the past 30 days being associated with a malicious SSL certificate. The CSV contains IP address and port number of malicious SSL hosts.
For more information on this feed go to: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
The SSLBL feeds API is found on github at
https://github.com/dnif/enrich-sslbl
- ACCESS DNIF CONTAINER VIA SSH : Click To Know How
$cd /dnif/CnxxxxxxxxxxxxV8/enrichment_plugins/
git clone https://github.com/dnif/enrich-sslbl.git sslbl
| Fields | Description |
|---|---|
| EvtType | An IP |
| EvtName | The IOC |
| IntelRef | Feed Name |
| IntelRefURL | Feed URL |
| ThreatType | DNIF Feed Identification Name |
An example of API feed output
{'EvtType': 'IPv4',
'EvtName': '89.35.228.199',
'AddFields': {
'IntelRef': ['SSLBL'],
'IntelRefURL': ['https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'],
'ThreatType': ['Adwind C&C'] }}