The Artica PCAP filter sources allow you to evaluate the IP addresses available on your network card.
When a network address arrives on your network card, the engine will check whether the network address is referenced in the various sources you've added.
Use the -add-source [URL]token to add lists in database url can be http,https,rbl
articapsniffer -add-source http://www.myip.ms/files/blacklist/csf/latest_blacklist.txt
When you add a source, Artica PCAP will place it in its download queue.
Sources will be checked automatically if you have enabled daemon mode.
Sources will then be injected into a dedicated memory buffer.
A record will take about 83 bytes inside the memory buffer, for example, 3 717 788 records will use about 30 697 0624 bytes ( 300 MB ) in memory buffer
If you want articapsniffer use DNS to detects IP addresses :
use the url rbl://[RBL Domain]/[IPToMatches]
articapsniffer -add-source rbl://b.barracudacentral.org/127.0.0.2
Will query b.barracudacentral.org and matches if DNS server respond to 127.0.0.2
If running in daemon mode, sources are checked each hour
Without daemon mode, use the -update-sources token to launch downloads
articapsniffer -update-sources
the token -list-sources displays all sources added to the configuration
articapsniffer -list-sources
Will output as example:
RBL Source: id:3 [b.barracudacentral.org] ENABLED "rbl://b.barracudacentral.org/127.0.0.2"HTTP Source: id:2 [iplists.firehol.org] ENABLED "https://iplists.firehol.org/files/firehol_level1.netset"HTTP Source: id:1 [New data source] ENABLED "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt"
Note the id number, the id number will allows you to enable, disable, delete a source.
-delete-source, disable-source, -enable-source will respectively modify the sources in the database using the unique identifier id.
If running in daemon mode, did not forget to “reload” the service ( using the -reload token ) in order to take effects.