Update block-lists.md

gustavo-iniguez-goya · web-flow · commit 1090fb33ae23 · 2025-08-12T23:39:18.000+02:00
diff --git a/wiki/block-lists.md b/wiki/block-lists.md
@@ -18,6 +18,7 @@ Supported list stypes
  * [Lists of regular expressions](#lists-of-domains-with-regular-expressions)
  * [Lists of IPs](#lists-of-ips)
  * [Lists of Nets](#lists-of-nets)
+ * [Lsits of MD5s](#lists-of-md5s-added-in-v170)
 
 [Notes](#notes)
 
@@ -110,18 +111,19 @@ adtrack(er|ing)?[0-9]*[_.-]
 ^stat(s|istics)?[0-9]*[_.-]
 ```
 
-**Note**: if you add a domain without regex to this type of list, it'll match everything for that domain: _google.com_ will match _clients6.google.com_, _docs.google.com_, etc.
+**Note**: if you add a domain without a regex to this type of list, it'll match everything for that domain: _google.com_ will match _clients6.google.com_, _docs.google.com_, etc.
 
-**Note**: Sometimes regular expressions can be too generic, so they may block too much domains. You can go to Rules tab -> double click on the rule, and see what domains the rule has matched, and refine the list accordingly.
+**Note**: Sometimes regular expressions can be too generic, so they may block too many domains. You can go to Rules tab -> double click on the rule, and see what domains the rule has matched, and refine the list accordingly.
 
-**Warning**: This lists must be small (~500 items). Using it with huge lists will lead to important performance penalty ([#866](https://github.com/evilsocket/opensnitch/issues/866)).
+⚠️ **WARNING** ⚠️: This list must be small (~500 items). Using it with huge lists will lead to important performance penalty ([#866](https://github.com/evilsocket/opensnitch/issues/866)).
 
 Here's a playground you can use to test regular expressions: https://go.dev/play/p/JzQCeNH4OH1
 
 ---
 
 #### Lists of IPs
 - One per line:
+
 IPs
 ```
 # https://iplists.firehol.org/
@@ -143,6 +145,32 @@ Nets:
 
 ---
 
+#### Lists of md5s (added in v1.7.0)
+Use this type to allow or block list of md5s.
+
+```json
+  "operator": {
+    "type": "lists",
+    "operand": "lists.hash.md5",
+    "sensitive": false,
+    "data": "/etc/opensnitchd/md5list/",
+    "list": []
+  }
+```
+
+For example you can download a list of known malware in the wild from [bazaar.abuse.ch](https://bazaar.abuse.ch/export/)
+
+```bash
+~ $ wget https://bazaar.abuse.ch/export/txt/md5/full/ -O /tmp/md5list-full.zip
+~ $ unzip -d /tmp/md5list-full.zip /etc/opensnitchd/md5list/
+~ $ head -3 /etc/opensnitchd/md5list/full_md5.txt
+################################################################
+# MalwareBazaar full malware samples dump (MD5 hashes)         #
+# Last updated: 2025-08-12 19:33:06 UTC                        #
+```
+
+---
+
 #### Notes
 - Lines started with # are ignored. Write comments always on a new line, not after a domain.
 - The domains `local`, `localhost`, `localhost.localdomain` and `broadcasthost` are ignored.
@@ -217,6 +245,8 @@ https://urlhaus.abuse.ch/api/#hostfile
 
 https://threatfox.abuse.ch/export/#hostfile
 
+https://bazaar.abuse.ch/export/
+
 Collections of Threat Intel feeds (by hash, IPs, domains, and more):
 
 https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds
