[Oisf-users] Suricata - w3af integration to find malware in websites

Tue Oct 8 13:51:28 UTC 2013

Victor,

On Tue, Oct 8, 2013 at 7:48 AM, Victor Julien <lists at inliniac.net> wrote:
> On 10/08/2013 03:05 AM, Andres Riancho wrote:
>> List,
>>
>>     Let me introduce myself, my name is Andres Riancho and I'm the
>> w3af [0] project leader. w3af is an open source web application
>> security scanner, and I was thinking about integrating a small subset
>> of suricata's rules into it.
>>
>>     The idea is rather simple, parse the rules which identify
>> botnets/malware in http response bodies and apply them to each http
>> response that w3af gets from the target site while it's crawling it.
>> If a match is found, report a vulnerability to the user; that
>> vulnerability will contain all the information (URLs, fix, more info,
>> etc.) provided by the suricata rule.
>>
>>     My questions to the suricata community are:
>>         * What do you think about the idea?
>>         * Do you expect this to trigger lots of false positives? How
>> could I reduce them?
>
> The closer the logic is to how we process http, the less fp's you should
> get.

Makes sense. Also, a question for Suricata admins that analyze lots of
traffic: Are there any specific signatures for http response content
matching I should disable?

>>         * w3af is GPLv2.0, can I bundle the suricata rules with it?
>
> Suricata ships only a special kind of rules (decoder events and other
> events the engine itself generates), for the rest ppl mostly use ET
> and/or VRT.

Thanks for the clarification on suricata rules, VRT and ET.

PS: I'm an IDS noob, when you say VRT it is [0] and ET is [1] , correct?

[0] http://www.snort.org/vrt
[1] http://www.emergingthreats.net/

>>         * Is there any well tested suricata rule parser written in python?
>
> rule2alert is written in python and generates pcaps based on rules, so
> it should parse them fairly well: https://github.com/pevma/rule2alert

Excellent, will use that one

>>         * Any similar project you want me to look into?
>>         * Are there major differences between snort and suricata
>> rules? Which ruleset should I use for this task?
>
> It's not really about snort vs suricata, but more about using ET vs VRT
> I think. The ET set is BSD licensed mostly iirc, so you should be able
> to use that.

Well, BSD and GPL are incompatible licenses, but I'll try to find out
more about the licensing of ET and VRT

> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3