Open FabioPedretti opened 5 years ago
bambenek_c2 is available at: https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
I encountered two false positive on that list, one related to simda and one to banjori, pizd and suppobox.
There are currently 138 entries, out of a total of 550, related to simda in that list, here is my false positive:
195.110.124.188,IP used by simda C&C,2019-03-08 10:06,http://osint.bambenekconsulting.com/manual/simda.txt
As you can see the simda link ( http://osint.bambenekconsulting.com/manual/simda.txt ) is broken.
Doing some research it appears that simda was defeated in 2015, for example:
There are currently 25 entries, out of a total of 550, related to pizd in that list, here is my false positive:
184.168.131.241,IP used by pizd C&C,2019-03-08 10:11,http://osint.bambenekconsulting.com/manual/pizd.txt
As you can see the pizd link ( http://osint.bambenekconsulting.com/manual/pizd.txt ) is broken.
There are currently 108 entries, out of a total of 550, related to pizd in that list.
There are currently 55 entries, out of a total of 550, related to pizd in that list.
Consider removing bambenek_c2 from firehole_level1. An alternative is to use the HIGH-CONFIDENCE FAMILIES ONLY version (I checked and my false positive IPs are not included there), available here: https://osint.bambenekconsulting.com/feeds/ https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
Thanks!
+1 this list is useless and only a source of false positives
bambenek_c2 is available at: https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
I encountered two false positive on that list, one related to simda and one to banjori, pizd and suppobox.
simda analysis
There are currently 138 entries, out of a total of 550, related to simda in that list, here is my false positive:
195.110.124.188,IP used by simda C&C,2019-03-08 10:06,http://osint.bambenekconsulting.com/manual/simda.txt
As you can see the simda link ( http://osint.bambenekconsulting.com/manual/simda.txt ) is broken.
Doing some research it appears that simda was defeated in 2015, for example:
pizd analysis
There are currently 25 entries, out of a total of 550, related to pizd in that list, here is my false positive:
184.168.131.241,IP used by pizd C&C,2019-03-08 10:11,http://osint.bambenekconsulting.com/manual/pizd.txt
As you can see the pizd link ( http://osint.bambenekconsulting.com/manual/pizd.txt ) is broken.
banjori analysis
There are currently 108 entries, out of a total of 550, related to pizd in that list.
suppobox analysis
There are currently 55 entries, out of a total of 550, related to pizd in that list.
Conclusion
Consider removing bambenek_c2 from firehole_level1. An alternative is to use the HIGH-CONFIDENCE FAMILIES ONLY version (I checked and my false positive IPs are not included there), available here: https://osint.bambenekconsulting.com/feeds/ https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
Thanks!