adopt digitalbond/Quickdraw ICS rules into Malcolm's suricata instance

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

367 stars 59 forks source link

adopt digitalbond/Quickdraw ICS rules into Malcolm's suricata instance #460

Closed mmguero closed 4 weeks ago

mmguero commented 7 months ago

See:

digitalbond/Quickdraw-Snort
digitalbond/Quickdraw-Suricata

Tasks:

Examine suricata rules and either modify and add to Malcolm under here or adjust build to pull them in via git clone
Examine snort rules and convert to suricata, then do the same process as in the previous bullet
Examine any new variables that might need to be defined and determine if those need to be defined by the user, or if we can figure them out automatically or what
test based on PCAPs provided by those repos

mmguero commented 4 weeks ago

Kamino closed and cloned this issue to cisagov/Malcolm