[Oisf-users] Suricata - w3af integration to find malware in websites

Andres Riancho andres.riancho at gmail.com
Tue Oct 8 14:05:18 UTC 2013 

Shirkdog,

On Tue, Oct 8, 2013 at 10:55 AM, Shirkdog <shirkdog at gmail.com> wrote:
> You should be able to include the Emerging Threats sigs by including the
> copyright per the BSD 3-Clause they use.

Well, licensing of the rules is complex, take a look at this [0]. Summary:
 * Rules with sids 1 through 3464, and 100000000 through 100000908 are
under the GPLv2.
 * Rules with sids 2000000 through 2799999 are from Emerging Threats
and are covered under the BSD License
 * Rules with sids 2800000 through 2900000 are provided by Emerging
Threats Pro and are covered by the license provided in this
distribution titled ETPRO-License.txt

The GPLv2 rules I'll be able to use/bundle/distribute with my software
without worrying because my software is GPLv2

The BSD rules seem to be under the original BSD license [1] which is
incompatible with GPLv2. This won't allow me to bundle them with my
software.

The ETPRO-License is completely incompatible with GPLv2.

[0] http://rules.emergingthreats.net/open-nogpl/suricata-1.3/rules/LICENSE
[1] http://www.gnu.org/licenses/license-list.html#OriginalBSD

> To be extra cautious, you could just provide a way to pull down the latest
> signatures and process them.

Yes, I think that the best way to go here is for me to write the
integration between the rules and my software, then have good
documentation on how to download the rules and let people choose. If
they want to write their own rules, they can, if they want to use the
paid ones, they also can do that.

> On Oct 8, 2013 9:51 AM, "Andres Riancho" <andres.riancho at gmail.com> wrote:
>>
>> Victor,
>>
>> On Tue, Oct 8, 2013 at 7:48 AM, Victor Julien <lists at inliniac.net> wrote:
>> > On 10/08/2013 03:05 AM, Andres Riancho wrote:
>> >> List,
>> >>
>> >>     Let me introduce myself, my name is Andres Riancho and I'm the
>> >> w3af [0] project leader. w3af is an open source web application
>> >> security scanner, and I was thinking about integrating a small subset
>> >> of suricata's rules into it.
>> >>
>> >>     The idea is rather simple, parse the rules which identify
>> >> botnets/malware in http response bodies and apply them to each http
>> >> response that w3af gets from the target site while it's crawling it.
>> >> If a match is found, report a vulnerability to the user; that
>> >> vulnerability will contain all the information (URLs, fix, more info,
>> >> etc.) provided by the suricata rule.
>> >>
>> >>     My questions to the suricata community are:
>> >>         * What do you think about the idea?
>> >>         * Do you expect this to trigger lots of false positives? How
>> >> could I reduce them?
>> >
>> > The closer the logic is to how we process http, the less fp's you should
>> > get.
>>
>> Makes sense. Also, a question for Suricata admins that analyze lots of
>> traffic: Are there any specific signatures for http response content
>> matching I should disable?
>>
>> >>         * w3af is GPLv2.0, can I bundle the suricata rules with it?
>> >
>> > Suricata ships only a special kind of rules (decoder events and other
>> > events the engine itself generates), for the rest ppl mostly use ET
>> > and/or VRT.
>>
>> Thanks for the clarification on suricata rules, VRT and ET.
>>
>> PS: I'm an IDS noob, when you say VRT it is [0] and ET is [1] , correct?
>>
>> [0] http://www.snort.org/vrt
>> [1] http://www.emergingthreats.net/
>>
>> >>         * Is there any well tested suricata rule parser written in
>> >> python?
>> >
>> > rule2alert is written in python and generates pcaps based on rules, so
>> > it should parse them fairly well: https://github.com/pevma/rule2alert
>>
>> Excellent, will use that one
>>
>> >>         * Any similar project you want me to look into?
>> >>         * Are there major differences between snort and suricata
>> >> rules? Which ruleset should I use for this task?
>> >
>> > It's not really about snort vs suricata, but more about using ET vs VRT
>> > I think. The ET set is BSD licensed mostly iirc, so you should be able
>> > to use that.
>>
>> Well, BSD and GPL are incompatible licenses, but I'll try to find out
>> more about the licensing of ET and VRT
>>
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

More information about the Oisf-users mailing list