Reliability of bambenek_c2 - Consider removing it from firehole_level1 ?

[FabioPedretti]

bambenek_c2 is available at: https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

I encountered two false positive on that list, one related to simda and one to banjori, pizd and suppobox.

1. legit site http://www.epiprev.it/ -> 195.110.124.188 used by simda
2. another legit site on 184.168.131.241, used by banjori, pizd and suppobox

simda analysis

There are currently 138 entries, out of a total of 550, related to simda in that list, here is my false positive:

195.110.124.188,IP used by simda C&C,2019-03-08 10:06,http://osint.bambenekconsulting.com/manual/simda.txt

As you can see the simda link ( http://osint.bambenekconsulting.com/manual/simda.txt ) is broken.

Doing some research it appears that simda was defeated in 2015, for example:

• https://checkip.kaspersky.com/
• https://www.symantec.com/connect/blogs/simda-botnet-hit-interpol-takedown

pizd analysis

There are currently 25 entries, out of a total of 550, related to pizd in that list, here is my false positive:

184.168.131.241,IP used by pizd C&C,2019-03-08 10:11,http://osint.bambenekconsulting.com/manual/pizd.txt

As you can see the pizd link ( http://osint.bambenekconsulting.com/manual/pizd.txt ) is broken.

banjori analysis

There are currently 108 entries, out of a total of 550, related to pizd in that list.

suppobox analysis

There are currently 55 entries, out of a total of 550, related to pizd in that list.

Conclusion

Consider removing bambenek_c2 from firehole_level1. An alternative is to use the HIGH-CONFIDENCE FAMILIES ONLY version (I checked and my false positive IPs are not included there), available here: https://osint.bambenekconsulting.com/feeds/ https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt

Thanks!

[scurvy]

+1 this list is useless and only a source of false positives