[Emerging-Sigs] sidmap generator

Duane Howard duane.security at gmail.com
Mon Feb 3 11:58:05 HST 2020


Tiago, I've filed an issue[0] in the project to make this functionality a
bit more supported by the library itself. I'll try to hammer this out when
I have some spare time, PR's are welcome.

[0] https://github.com/google/gonids/issues/124

On Mon, Feb 3, 2020 at 11:28 AM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> That's a very good idea Duane, thank you.
>
> I'll look into using gonids and report back. Since this is going into a
> Lambda function gonids seems like a very good fit!
>
> On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
> wrote:
>
>> You could write a small utility using the gonids[0] parsing library.
>> Should roughly be something like:
>> ```
>> package main
>>
>> import "github.com/google/gonids"
>>
>> func main() {
>>   r, err := gonids.ParseRule(rule)
>>   if err != nil {
>>     // Handle parse error
>>   }
>>   var msgmap []string
>>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>>   msgmap = append(msgmap, r.Description)
>>   for _, ref := range r.References {
>>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>>   }
>>   fmt.Println(strings.Join(msgmap, " || "))
>> }
>> ```
>>
>> [0] https://github.com/google/gonids
>>
>> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
>> jwilliams at emergingthreats.net> wrote:
>>
>>> Tiago,
>>>
>>> create-sidmap.pl is part of the oinkmaster distribution, take a look
>>> there
>>>
>>> http://oinkmaster.sourceforge.net/faq.shtml
>>>
>>> HTH,
>>>
>>> Jason
>>>
>>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
>>> tiago.faria.backups at gmail.com> wrote:
>>>
>>>> Hi list,
>>>>
>>>> I know this is a bit of a weird request but was wondering if the script
>>>> that generates https://rules.emergingthreats.net/sidmap/ is available
>>>> anywhere online? Looked on ET GH but couldn't find it.
>>>>
>>>> I would really like to create something similar for other rulesets (and
>>>> even combine other rulesets and provide a general sidmap; easier for
>>>> querying or feeding other systems) and the best I came up with 'while read
>>>> -r line' is far from what it should be. :)
>>>>
>>>> Perfectly understand if the ET team can't share, just thought I'd ask :)
>>>>
>>>> Thank you!
>>>> T
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200203/af80be46/attachment.html>


More information about the Emerging-sigs mailing list