Description

This enhancement describes adding SSLBL dataset support to the AbuseCH integration. We aim to support the creation of threat intel rules over network traffic events based on identifiers like JA3 fingerprints from malware SSL/TLS clients and SHA1 fingerprints of malicious SSL certificates.

The SSLBL project contains three different feeds which we should support:

• Malicious SSL Certificates (SHA1 fingerprints)
• Malware SSL/TLS client fingerprints (JA3 fingerprints)
• Botnet C2 IP address:port combination associated with malicious SSL certificates

The enhancement should follow the existing AbuseCH pattern using SSLBL API endpoints, as well as include IOC expiration handling and transforms to maintain active indicators, as described here: Expiration of Indicators of Compromise (IOCs).

Note: SSLBL data is updated every 5 minutes, so the integration polling interval should be configured accordingly to avoid unnecessary API calls.

Examples of the SSLBL data formats can be found here: Blacklist.