Skip to content
/ sebel Public

Checks SSL/TLS certificates for potential malicious connections by detecting and blocking certificates used by botnet command and control (C&C) servers.

License

Apache-2.0 license
37 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

teler-sh/sebel

BranchesTags

Repository files navigation

sebel

GoDoc tests Go Report Card

sebel is a Go package that provides functionality for checking SSL/TLS certificates against malicious connections, by identifying and blacklisting certificates used by botnet command and control (C&C) servers.

Usage

Setting up Sebel instance:

import "github.com/teler-sh/sebel"

// ...

s := sebel.New(Options{/* ... */})
defer s.Close() // Stop background refresh if enabled

Note

The Options parameter is optional. See Options for available configuration.

Examples

Next, set the transport for the HTTP client you are using:

// initialize Sebel (fetch SSLBL data)
s := sebel.New()
defer s.Close()

client := &http.Client{
    Transport: s.RoundTripper(http.DefaultTransport),
}

// now, you can use [client.Do], [client.Get], etc. to create requests.

resp, err := client.Get("https://c2.host")
if err != nil && sebel.IsBlacklist(err) {
    // certificate blacklisted
    panic(err)
}
defer resp.Body.Close()

Alternatively, for seamless integration without configuring a new client, replace your current default HTTP client with Sebel's RoundTripper:

http.DefaultClient.Transport = sebel.New().RoundTripper(http.DefaultTransport)

You can also check the certificate later using Sebel's CheckTLS.

r, err := http.Get("https://c2.host")
if err != nil {
	panic(err)
}
defer r.Body.Close()

s := sebel.New()

_, err = s.CheckTLS(r.TLS)
if err != nil && sebel.IsBlacklist(err) {
	// certificate blacklisted
	panic(err)
}

Or check a host directly using CheckHost:

s := sebel.New()

_, err := s.CheckHost("c2.host", "443", nil)
if err != nil && sebel.IsBlacklist(err) {
	// certificate blacklisted
	panic(err)
}

Background Refresh

To keep the SSLBL data up-to-date automatically:

s := sebel.New(sebel.Options{
    DataRefreshInterval: 5 * time.Minute,
})
defer s.Close() // Important: stop the background goroutine

client := &http.Client{
    Transport: s.RoundTripper(http.DefaultTransport),
}

These examples demonstrate various ways to set up Sebel and integrate it with HTTP clients for SSL/TLS certificate checks.

Status

Caution

Sebel has NOT reached 1.0 yet. Therefore, this library is currently not supported and does not offer a stable API; use at your own risk.

There are no guarantees of stability for the APIs in this library, and while they are not expected to change dramatically. API tweaks and bug fixes may occur.

License

sebel is released by @dwisiswant0 under the Apache 2.0 license. See LICENSE.

The data used in this project are © by abuse.ch under CC0.

About

Checks SSL/TLS certificates for potential malicious connections by detecting and blocking certificates used by botnet command and control (C&C) servers.

Topics

go tls golang ssl blacklist abuse sebel go-library c2 command-and-control go-lib sslbl

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

37 stars

Watchers

0 watching

Forks

2 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Languages