Open necrose99 opened 1 year ago
I am also interested in the cooperation with Sigma rule. Similarly, I would like to support Snort, Yara, etc.
The most difficult part of the research is that the amount of data sources is far too small to link the detected CVEs to those rules. At the time, the most usable rules we found were the officially distributed Snort rules.
Do you know of a data source that is stable, updated and has a reasonable amount of data linking these rules to CVEs?
Least you could at the very least , add it in the yellow ⚠️ category, ie caution.. as posible detections.. ? Sigma rules , unfortunately not an easy sigma2taxii or sigma2stixx , least initially, thier might be more on futher reserch ... consumer io that vuls could injest with current vuls sub-tools.
Least in golang..
https://github.com/opencybersecurityalliance/stix-shifter , ports to stix2
https://pkg.go.dev/github.com/TcM1911/stix2
https://raw.githubusercontent.com/SigmaHQ/sigma/master/tools/config/ecs-suricata.yml , perhaps useful.
https://uncoder.io/
https://github.com/SigmaHQ/sigma
https://github.com/bradleyjkemp/sigma-go A few free sigma feeds..
While common in siem land , these are more raw threat detections..
Machine a is vulnerable to x.. Warning ⚠️ Machine a is showing active infected.... might be useful to know.. on reports Your firewall is not patched is vulnerable, compromised etc..
as a 🔌 plug-in ..
Simular to go-cti gost etc..