[Oisf-users] Suricata - w3af integration to find malware in websites
Victor Julien
lists at inliniac.net
Tue Oct 8 10:48:23 UTC 2013
On 10/08/2013 03:05 AM, Andres Riancho wrote:
> List,
>
> Let me introduce myself, my name is Andres Riancho and I'm the
> w3af [0] project leader. w3af is an open source web application
> security scanner, and I was thinking about integrating a small subset
> of suricata's rules into it.
>
> The idea is rather simple, parse the rules which identify
> botnets/malware in http response bodies and apply them to each http
> response that w3af gets from the target site while it's crawling it.
> If a match is found, report a vulnerability to the user; that
> vulnerability will contain all the information (URLs, fix, more info,
> etc.) provided by the suricata rule.
>
> My questions to the suricata community are:
> * What do you think about the idea?
> * Do you expect this to trigger lots of false positives? How
> could I reduce them?
The closer the logic is to how we process http, the less fp's you should
get.
> * w3af is GPLv2.0, can I bundle the suricata rules with it?
Suricata ships only a special kind of rules (decoder events and other
events the engine itself generates), for the rest ppl mostly use ET
and/or VRT.
> * Is there any well tested suricata rule parser written in python?
rule2alert is written in python and generates pcaps based on rules, so
it should parse them fairly well: https://github.com/pevma/rule2alert
> * Any similar project you want me to look into?
> * Are there major differences between snort and suricata
> rules? Which ruleset should I use for this task?
It's not really about snort vs suricata, but more about using ET vs VRT
I think. The ET set is BSD licensed mostly iirc, so you should be able
to use that.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list