Known Bot Command and Control Rules

This ruleset takes a daily list (generously made available to the public!) of known CnC? Servers as researched by and, and converts them into Snort/Suricata signatures and Firewall rules.

Sources include:

Shadow Server

Feodo Tracker

Zeus Tracker

Ransomware Tracker

Note, all of these organizations are fully volunteer staffed and run.

These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server.

Rules are available here:

Botnet Command and Control Server Rules (BotCC):

Sid Range info:

2404000-2404099 CnC? List — Updated Daily

2404100-2404800 Zeus/Feodo/Palevo/Ransomware Tracker CnC? List — Updated Daily

Firewall Rules

Topic revision: r7 - 2017-04-26 - FrancisTrudeau
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats