future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
11.01k stars 1.16k forks source link

Sigma rules feed.. #1614

Open necrose99 opened 1 year ago

necrose99 commented 1 year ago

https://uncoder.io/

https://github.com/SigmaHQ/sigma

https://github.com/bradleyjkemp/sigma-go A few free sigma feeds..

While common in siem land , these are more raw threat detections..

Machine a is vulnerable to x.. Warning ⚠️ Machine a is showing active infected.... might be useful to know.. on reports Your firewall is not patched is vulnerable, compromised etc..

as a 🔌 plug-in ..

Simular to go-cti gost etc..

MaineK00n commented 1 year ago

I am also interested in the cooperation with Sigma rule. Similarly, I would like to support Snort, Yara, etc.

The most difficult part of the research is that the amount of data sources is far too small to link the detected CVEs to those rules. At the time, the most usable rules we found were the officially distributed Snort rules.

Do you know of a data source that is stable, updated and has a reasonable amount of data linking these rules to CVEs?

necrose99 commented 1 year ago

Least you could at the very least , add it in the yellow ⚠️ category, ie caution.. as posible detections.. ? Sigma rules , unfortunately not an easy sigma2taxii or sigma2stixx , least initially, thier might be more on futher reserch ... consumer io that vuls could injest with current vuls sub-tools.

Least in golang..

https://github.com/opencybersecurityalliance/stix-shifter , ports to stix2

https://pkg.go.dev/github.com/TcM1911/stix2

https://raw.githubusercontent.com/SigmaHQ/sigma/master/tools/config/ecs-suricata.yml , perhaps useful.