Open andresriancho opened 11 years ago
A quick grep shows these rules:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:""; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)
The first challenge is to parse the rule format. Quick google search shows:
Sent email to the mailing lists to see what they think about the idea.
Also sent an email to the snort mailing list
https://github.com/pevma/rule2alert is an improvement over the previous parser I linked.
Rules will come out of:
Suricata rules are not GPL: http://rules.emergingthreats.net/open-nogpl/suricata-1.3/rules/LICENSE , they seem to be BSD. This means that we can't really include them into our repository.
The trick here will be to download them before enabling the plugin. This should be well documented and performed by the user, not an automated script. Oinkmaster seems to be a great option for downloading and keeping the rulesets updated for both suricata and snort. Maybe we can document a way for the users to use that?
Well, licensing of the rules is complex, take a look at this [0]. Summary:
The GPLv2 rules I'll be able to use/bundle/distribute with my software without worrying because my software is GPLv2
The BSD rules seem to be under the original BSD license [1] which is incompatible with GPLv2. This won't allow me to bundle them with my software.
The ETPRO-License is completely incompatible with GPLv2.
[0] http://rules.emergingthreats.net/open-nogpl/suricata-1.3/rules/LICENSE [1] http://www.gnu.org/licenses/license-list.html#OriginalBSD
The rule parser code is GPLv2. Wiii !
Contributor wanted
This issue is easy and looking for a contributor, just add a comment saying you'll do it's yours!
Not sure where to start from? Take a look at our First steps as a contributor and Contributing 101 wiki pages.
Other interesting tasks which can be completed by new
w3af
contributors can be found here.Task description
Use snort rules to detect exploits/malware in HTTP response body http://www.snort.org/snort-rules/