[Oisf-users] Suricata - w3af integration to find malware in websites
Shirkdog
shirkdog at gmail.com
Tue Oct 8 13:55:43 UTC 2013
You should be able to include the Emerging Threats sigs by including the
copyright per the BSD 3-Clause they use.
To be extra cautious, you could just provide a way to pull down the latest
signatures and process them.
On Oct 8, 2013 9:51 AM, "Andres Riancho" <andres.riancho at gmail.com> wrote:
> Victor,
>
> On Tue, Oct 8, 2013 at 7:48 AM, Victor Julien <lists at inliniac.net> wrote:
> > On 10/08/2013 03:05 AM, Andres Riancho wrote:
> >> List,
> >>
> >> Let me introduce myself, my name is Andres Riancho and I'm the
> >> w3af [0] project leader. w3af is an open source web application
> >> security scanner, and I was thinking about integrating a small subset
> >> of suricata's rules into it.
> >>
> >> The idea is rather simple, parse the rules which identify
> >> botnets/malware in http response bodies and apply them to each http
> >> response that w3af gets from the target site while it's crawling it.
> >> If a match is found, report a vulnerability to the user; that
> >> vulnerability will contain all the information (URLs, fix, more info,
> >> etc.) provided by the suricata rule.
> >>
> >> My questions to the suricata community are:
> >> * What do you think about the idea?
> >> * Do you expect this to trigger lots of false positives? How
> >> could I reduce them?
> >
> > The closer the logic is to how we process http, the less fp's you should
> > get.
>
> Makes sense. Also, a question for Suricata admins that analyze lots of
> traffic: Are there any specific signatures for http response content
> matching I should disable?
>
> >> * w3af is GPLv2.0, can I bundle the suricata rules with it?
> >
> > Suricata ships only a special kind of rules (decoder events and other
> > events the engine itself generates), for the rest ppl mostly use ET
> > and/or VRT.
>
> Thanks for the clarification on suricata rules, VRT and ET.
>
> PS: I'm an IDS noob, when you say VRT it is [0] and ET is [1] , correct?
>
> [0] http://www.snort.org/vrt
> [1] http://www.emergingthreats.net/
>
> >> * Is there any well tested suricata rule parser written in
> python?
> >
> > rule2alert is written in python and generates pcaps based on rules, so
> > it should parse them fairly well: https://github.com/pevma/rule2alert
>
> Excellent, will use that one
>
> >> * Any similar project you want me to look into?
> >> * Are there major differences between snort and suricata
> >> rules? Which ruleset should I use for this task?
> >
> > It's not really about snort vs suricata, but more about using ET vs VRT
> > I think. The ET set is BSD licensed mostly iirc, so you should be able
> > to use that.
>
> Well, BSD and GPL are incompatible licenses, but I'll try to find out
> more about the licensing of ET and VRT
>
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131008/7ba12bca/attachment-0002.html>
More information about the Oisf-users
mailing list