linuxmalaysia/listbot-logstash.txt

## listbot-logstash.txt
Config Untuk Listbot

Contoh diambil dari

https://github.com/dtag-dev-sec/listbot


1) Git clone masukkan dalam /etc/logstash

git clone https://github.com/dtag-dev-sec/listbot.git

2) Pastikan dalam /etc/logstash/conf.d

filter {

# start if

if "syslog" in [tags] and "correlation" in [tags] {

geoip {
      source => "src_ip"
      id => "geoip_syslog_correlation"
      add_tag => [ "geoip" ]
    }
# geoip-end

# https://github.com/dtag-dev-sec/listbot

    translate {
      refresh_interval => 86400
      field => "src_ip"
      destination => "ip_rep"
      dictionary_path => "/etc/logstash/listbot/iprep.yaml"
    }

## end if
  }

##
}

3) Periksa dalam Kibana Logstash ada field ip_rep


4) list of source IP (from the tpot script)

fuDOWNLOAD "https://reputation.alienvault.com/reputation.generic" "bad reputation" "alienvault"
fuDOWNLOAD "https://raw.githubusercontent.com/Neo23x0/signature-base/39787aaefa6b70b0be6e7dcdc425b65a716170ca/iocs/otx-c2-iocs.txt" "malware" "alienvault"
fuDOWNLOAD "https://www.badips.com/get/list/any/2?age=90d" "known attacker" "badips"
fuDOWNLOAD "http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt" "C2 server" "bambenek"
fuDOWNLOAD "https://lists.blocklist.de/lists/all.txt" "known attacker" "blocklist"
fuDOWNLOAD "https://iplists.firehol.org/files/bitcoin_nodes_30d.ipset" "bitcoin node" "firehol_bitcoin"
fuDOWNLOAD "https://iplists.firehol.org/files/botscout_30d.ipset" "form spammer" "firehol_botscout"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset" "known attacker" "firehol_cruzit"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset" "known atttacker" "firehol_mwdomainlist"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_30d.ipset" "anonymizer" "firehol_proxylists"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_30d.ipset" "anonymizer" "firehol_proxyrss"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_30d.ipset" "anonymizer" "firehol_proxyspy"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset" "anonymizer" "firehol_web_proxies"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_30d.ipset" "anonymizer" "firehol_socks_proxy"
fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_30d.ipset" "anonymizer" "firehol_sslproxies"
fuDOWNLOAD "https://iplists.firehol.org/files/cleantalk_30d.ipset" "abuse" "firehol_cleantalk"
fuDOWNLOAD "https://iplists.firehol.org/files/dshield_30d.netset" "known attacker" "firehol_cleantalk"
fuDOWNLOAD "https://iplists.firehol.org/files/darklist_de.netset" "known attacker" "firehol_darklist"
fuDOWNLOAD "https://iplists.firehol.org/files/dm_tor.ipset" "tor exit node" "firehol_dm_tor"
fuDOWNLOAD "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" "known attacker" "rulez"
fuDOWNLOAD "http://cinsscore.com/list/ci-badguys.txt" "known attacker" "cinsscore"
fuDOWNLOAD "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist" "malware" "feodotracker"
fuDOWNLOAD "https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt" "compromised" "et_compromised"
fuDOWNLOAD "http://blocklist.greensnow.co/greensnow.txt" "known attacker" "greensnow"
fuDOWNLOAD "http://www.nothink.org/blacklist/blacklist_malware_irc.txt" "malware" "nothink"
fuDOWNLOAD "http://spys.me/proxy.txt" "anonymizer" "spys"
fuDOWNLOAD "http://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt" "ransomware" "ransomwaretracker"
fuDOWNLOAD "https://report.cs.rutgers.edu/DROP/attackers" "known attacker" "rutgers"
fuDOWNLOAD "http://sblam.com/blacklist.txt" "form spammer" "sblam"
fuDOWNLOAD "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" "C2 server" "sslbl"
fuDOWNLOAD "http://www.talosintelligence.com/feeds/ip-filter.blf" "bad reputation" "talos"
fuDOWNLOAD "https://check.torproject.org/exit-addresses" "tor exit node" "torexit"
fuDOWNLOAD "https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv" "tor exit node" "torip"
fuDOWNLOAD "https://www.turris.cz/greylist-data/greylist-latest.csv" "bad reputation" "turris"
fuDOWNLOAD "https://zeustracker.abuse.ch/blocklist.php?download=badips" "malware" "zeustracker"
fuDOWNLOAD "https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt" "mass scanner" "maltrail_mass_scanner"
fuDOWNLOAD "https://myip.ms/files/blacklist/general/full_blacklist_database.zip" "bot, crawler" "myip"
fuDOWNLOAD "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz" "spam" "nix"
	Config Untuk Listbot

	Contoh diambil dari

	https://github.com/dtag-dev-sec/listbot



	1) Git clone masukkan dalam /etc/logstash

	git clone https://github.com/dtag-dev-sec/listbot.git

	2) Pastikan dalam /etc/logstash/conf.d

	filter {

	# start if

	if "syslog" in [tags] and "correlation" in [tags] {

	geoip {
	source => "src_ip"
	id => "geoip_syslog_correlation"
	add_tag => [ "geoip" ]
	}
	# geoip-end

	# https://github.com/dtag-dev-sec/listbot

	translate {
	refresh_interval => 86400
	field => "src_ip"
	destination => "ip_rep"
	dictionary_path => "/etc/logstash/listbot/iprep.yaml"
	}

	## end if
	}

	##
	}

	3) Periksa dalam Kibana Logstash ada field ip_rep


	4) list of source IP (from the tpot script)

	fuDOWNLOAD "https://reputation.alienvault.com/reputation.generic" "bad reputation" "alienvault"
	fuDOWNLOAD "https://raw.githubusercontent.com/Neo23x0/signature-base/39787aaefa6b70b0be6e7dcdc425b65a716170ca/iocs/otx-c2-iocs.txt" "malware" "alienvault"
	fuDOWNLOAD "https://www.badips.com/get/list/any/2?age=90d" "known attacker" "badips"
	fuDOWNLOAD "http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt" "C2 server" "bambenek"
	fuDOWNLOAD "https://lists.blocklist.de/lists/all.txt" "known attacker" "blocklist"
	fuDOWNLOAD "https://iplists.firehol.org/files/bitcoin_nodes_30d.ipset" "bitcoin node" "firehol_bitcoin"
	fuDOWNLOAD "https://iplists.firehol.org/files/botscout_30d.ipset" "form spammer" "firehol_botscout"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset" "known attacker" "firehol_cruzit"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset" "known atttacker" "firehol_mwdomainlist"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_30d.ipset" "anonymizer" "firehol_proxylists"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_30d.ipset" "anonymizer" "firehol_proxyrss"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_30d.ipset" "anonymizer" "firehol_proxyspy"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset" "anonymizer" "firehol_web_proxies"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_30d.ipset" "anonymizer" "firehol_socks_proxy"
	fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_30d.ipset" "anonymizer" "firehol_sslproxies"
	fuDOWNLOAD "https://iplists.firehol.org/files/cleantalk_30d.ipset" "abuse" "firehol_cleantalk"
	fuDOWNLOAD "https://iplists.firehol.org/files/dshield_30d.netset" "known attacker" "firehol_cleantalk"
	fuDOWNLOAD "https://iplists.firehol.org/files/darklist_de.netset" "known attacker" "firehol_darklist"
	fuDOWNLOAD "https://iplists.firehol.org/files/dm_tor.ipset" "tor exit node" "firehol_dm_tor"
	fuDOWNLOAD "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" "known attacker" "rulez"
	fuDOWNLOAD "http://cinsscore.com/list/ci-badguys.txt" "known attacker" "cinsscore"
	fuDOWNLOAD "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist" "malware" "feodotracker"
	fuDOWNLOAD "https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt" "compromised" "et_compromised"
	fuDOWNLOAD "http://blocklist.greensnow.co/greensnow.txt" "known attacker" "greensnow"
	fuDOWNLOAD "http://www.nothink.org/blacklist/blacklist_malware_irc.txt" "malware" "nothink"
	fuDOWNLOAD "http://spys.me/proxy.txt" "anonymizer" "spys"
	fuDOWNLOAD "http://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt" "ransomware" "ransomwaretracker"
	fuDOWNLOAD "https://report.cs.rutgers.edu/DROP/attackers" "known attacker" "rutgers"
	fuDOWNLOAD "http://sblam.com/blacklist.txt" "form spammer" "sblam"
	fuDOWNLOAD "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" "C2 server" "sslbl"
	fuDOWNLOAD "http://www.talosintelligence.com/feeds/ip-filter.blf" "bad reputation" "talos"
	fuDOWNLOAD "https://check.torproject.org/exit-addresses" "tor exit node" "torexit"
	fuDOWNLOAD "https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv" "tor exit node" "torip"
	fuDOWNLOAD "https://www.turris.cz/greylist-data/greylist-latest.csv" "bad reputation" "turris"
	fuDOWNLOAD "https://zeustracker.abuse.ch/blocklist.php?download=badips" "malware" "zeustracker"
	fuDOWNLOAD "https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt" "mass scanner" "maltrail_mass_scanner"
	fuDOWNLOAD "https://myip.ms/files/blacklist/general/full_blacklist_database.zip" "bot, crawler" "myip"
	fuDOWNLOAD "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz" "spam" "nix"