Known Bot Command and Control Rules
This ruleset takes a daily list (generously made available to the public!) of known
CnC? Servers as researched by Shadowserver.org and Abuse.ch, and converts them into Snort/Suricata signatures and Firewall rules.
Sources include:
Shadow Server
Feodo Tracker
Zeus Tracker
Ransomware Tracker
Note, all of these organizations are fully volunteer staffed and run.
These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server.
Rules are available here:
Botnet Command and Control Server Rules (
BotCC):
Sid Range info:
2404000-2404099 Shadowserver.org
CnC? List — Updated Daily
2404100-2404800 Abuse.ch Zeus/Feodo/Palevo/Ransomware Tracker
CnC? List — Updated Daily
Firewall Rules
http://rules.emergingthreats.net/fwrules