[Emerging-Sigs] Adding target keyword to ruleset

Eric Leblond eleblond at stamus-networks.com
Tue Dec 5 01:26:46 HST 2017


Hello,

Please find attached an attempt to automate the addition of the target
keyword to the ETOpen ruleset.

The concept is the following:

For all rules with metadata attack_target defined, compute source (src)
and destination (dst) from the rule IP parameters. Then we have a
computation done on the value of this two fields:

            # external net always seen as bad guy on attack
            if src == "$EXTERNAL_NET":
                set_target(rule, target="dest_ip")
                continue
            # external net alsways seen as bad guy on attack
            if dst == "$EXTERNAL_NET":
                set_target(rule, target="src_ip")
                continue
            # any or IP address list on one side and a variable on other side implies variable is our asset so target
            if (src == "any" or src.startswith("[")) and dst.startswith("$"):
                set_target(rule, target="dest_ip")
                continue
            # any or IP address list on one side and a variable on other side implies variable is our asset so target
            if src.startswith("$") and (dst == "any" or dst.startswith("[")):
                set_target(rule, target="src_ip")
                continue

This is working quite well and seems to do an accurate classification
but it is not satisfactory because we end up adding a target keyword
for a clear text logging on Wordpress.

So I have a question: is there a way to know by parsing the signature
if in case of alert then we have a potential harm done by source to
target ?

BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: parse-rules.py
Type: text/x-python
Size: 1877 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171205/135a9768/attachment-0001.py>


More information about the Emerging-sigs mailing list