[Oisf-users] Suricata - w3af integration to find malware in websites

Victor Julien lists at inliniac.net
Tue Oct 8 10:48:23 UTC 2013

On 10/08/2013 03:05 AM, Andres Riancho wrote:
> List,
>     Let me introduce myself, my name is Andres Riancho and I'm the
> w3af [0] project leader. w3af is an open source web application
> security scanner, and I was thinking about integrating a small subset
> of suricata's rules into it.
>     The idea is rather simple, parse the rules which identify
> botnets/malware in http response bodies and apply them to each http
> response that w3af gets from the target site while it's crawling it.
> If a match is found, report a vulnerability to the user; that
> vulnerability will contain all the information (URLs, fix, more info,
> etc.) provided by the suricata rule.
>     My questions to the suricata community are:
>         * What do you think about the idea?
>         * Do you expect this to trigger lots of false positives? How
> could I reduce them?

The closer the logic is to how we process http, the less fp's you should

>         * w3af is GPLv2.0, can I bundle the suricata rules with it?

Suricata ships only a special kind of rules (decoder events and other
events the engine itself generates), for the rest ppl mostly use ET
and/or VRT.

>         * Is there any well tested suricata rule parser written in python?

rule2alert is written in python and generates pcaps based on rules, so
it should parse them fairly well: https://github.com/pevma/rule2alert

>         * Any similar project you want me to look into?
>         * Are there major differences between snort and suricata
> rules? Which ruleset should I use for this task?

It's not really about snort vs suricata, but more about using ET vs VRT
I think. The ET set is BSD licensed mostly iirc, so you should be able
to use that.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list