[Emerging-Sigs] Emerging-sigs Digest, Vol 147, Issue 3

Matthew Clairmont (R* NYC) Matthew.Clairmont at rockstargames.com
Mon Feb 3 12:07:34 HST 2020


GoNIDS may have just saved me a lot of automation work. I've recently started more signature automation using Go but it was nowhere the quality (or finesse) of what GoNIDS seems to offer!

-----Original Message-----
From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> On Behalf Of emerging-sigs-request at lists.emergingthreats.net
Sent: Monday, February 3, 2020 05:00 PM
To: emerging-sigs at lists.emergingthreats.net
Subject: Emerging-sigs Digest, Vol 147, Issue 3

** EXTERNAL EMAIL **

Send Emerging-sigs mailing list submissions to
	emerging-sigs at lists.emergingthreats.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
or, via email, send a message with subject or body 'help' to
	emerging-sigs-request at lists.emergingthreats.net

You can reach the person managing the list at
	emerging-sigs-owner at lists.emergingthreats.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Re: sidmap generator (Tiago Faria)
   2. Re: sidmap generator (Duane Howard)


----------------------------------------------------------------------

Message: 1
Date: Mon, 3 Feb 2020 19:28:02 +0000
From: Tiago Faria <tiago.faria.backups at gmail.com>
To: Duane Howard <duane.security at gmail.com>
Cc: Jason Williams <jwilliams at emergingthreats.net>,
	"emerging-sigs at emergingthreats.net"
	<Emerging-sigs at emergingthreats.net>
Subject: Re: [Emerging-Sigs] sidmap generator
Message-ID:
	<CAF8FeX-CjoFTjfCL8g=XDh83jYX69Vs79-Qf35ooUJVHTcqcdA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

That's a very good idea Duane, thank you.

I'll look into using gonids and report back. Since this is going into a Lambda function gonids seems like a very good fit!

On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
wrote:

> You could write a small utility using the gonids[0] parsing library.
> Should roughly be something like:
> ```
> package main
>
> import "github.com/google/gonids"
>
> func main() {
>   r, err := gonids.ParseRule(rule)
>   if err != nil {
>     // Handle parse error
>   }
>   var msgmap []string
>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>   msgmap = append(msgmap, r.Description)
>   for _, ref := range r.References {
>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>   }
>   fmt.Println(strings.Join(msgmap, " || ")) } ```
>
> [0] 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google
> _gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
> 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ue
> ABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1CFaL
> HufPhRq4k8g&e=
>
> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams < 
> jwilliams at emergingthreats.net> wrote:
>
>> Tiago,
>>
>> create-sidmap.pl is part of the oinkmaster distribution, take a look 
>> there
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.source
>> forge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu
>> 3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K
>> _0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r4zqB
>> V1EwncAtS-6Az0Qt-BvEag7-YE&e=
>>
>> HTH,
>>
>> Jason
>>
>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria < 
>> tiago.faria.backups at gmail.com> wrote:
>>
>>> Hi list,
>>>
>>> I know this is a bit of a weird request but was wondering if the 
>>> script that generates 
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=  is available anywhere online? Looked on ET GH but couldn't find it.
>>>
>>> I would really like to create something similar for other rulesets 
>>> (and even combine other rulesets and provide a general sidmap; 
>>> easier for querying or feeding other systems) and the best I came up 
>>> with 'while read -r line' is far from what it should be. :)
>>>
>>> Perfectly understand if the ET team can't share, just thought I'd 
>>> ask :)
>>>
>>> Thank you!
>>> T
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
>>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
>>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
>>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
>>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro 
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
>>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
>>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
>>> hpXDdKtfo4TDzNGMU&e=
>>>
>>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingth
>> reats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vD
>> Cbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBL
>> iLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ1
>> 1qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthrea
>> ts.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
>> 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55u
>> eABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQhpXD
>> dKtfo4TDzNGMU&e=
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_462006d1_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=GmnrEa6NYm8ejb6KbL-HqiLcnIPhy0_tJyNB2tWEXdc&e= >

------------------------------

Message: 2
Date: Mon, 3 Feb 2020 13:58:05 -0800
From: Duane Howard <duane.security at gmail.com>
To: Tiago Faria <tiago.faria.backups at gmail.com>
Cc: Jason Williams <jwilliams at emergingthreats.net>,
	"emerging-sigs at emergingthreats.net"
	<Emerging-sigs at emergingthreats.net>
Subject: Re: [Emerging-Sigs] sidmap generator
Message-ID:
	<CAH9u3cuSyqDr9h+skg85iNn3hm5N2+gTJD=BiTmTaw4H26r6iw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Tiago, I've filed an issue[0] in the project to make this functionality a bit more supported by the library itself. I'll try to hammer this out when I have some spare time, PR's are welcome.

[0] https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google_gonids_issues_124&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=_sY24cmDZercWOe_dy5R8d0sCvY1cFjS_ThYH3p9pzs&e= 

On Mon, Feb 3, 2020 at 11:28 AM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> That's a very good idea Duane, thank you.
>
> I'll look into using gonids and report back. Since this is going into 
> a Lambda function gonids seems like a very good fit!
>
> On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
> wrote:
>
>> You could write a small utility using the gonids[0] parsing library.
>> Should roughly be something like:
>> ```
>> package main
>>
>> import "github.com/google/gonids"
>>
>> func main() {
>>   r, err := gonids.ParseRule(rule)
>>   if err != nil {
>>     // Handle parse error
>>   }
>>   var msgmap []string
>>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>>   msgmap = append(msgmap, r.Description)
>>   for _, ref := range r.References {
>>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>>   }
>>   fmt.Println(strings.Join(msgmap, " || ")) } ```
>>
>> [0] 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_googl
>> e_gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd5
>> 5ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1
>> CFaLHufPhRq4k8g&e=
>>
>> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams < 
>> jwilliams at emergingthreats.net> wrote:
>>
>>> Tiago,
>>>
>>> create-sidmap.pl is part of the oinkmaster distribution, take a look 
>>> there
>>>
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.sourc
>>> eforge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGT
>>> vu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j
>>> 83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r
>>> 4zqBV1EwncAtS-6Az0Qt-BvEag7-YE&e=
>>>
>>> HTH,
>>>
>>> Jason
>>>
>>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria < 
>>> tiago.faria.backups at gmail.com> wrote:
>>>
>>>> Hi list,
>>>>
>>>> I know this is a bit of a weird request but was wondering if the 
>>>> script that generates 
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=  is available anywhere online? Looked on ET GH but couldn't find it.
>>>>
>>>> I would really like to create something similar for other rulesets 
>>>> (and even combine other rulesets and provide a general sidmap; 
>>>> easier for querying or feeding other systems) and the best I came 
>>>> up with 'while read -r line' is far from what it should be. :)
>>>>
>>>> Perfectly understand if the ET team can't share, just thought I'd 
>>>> ask :)
>>>>
>>>> Thank you!
>>>> T
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emerging
>>>> threats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGd
>>>> p5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnV
>>>> eHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7
>>>> NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro 
>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthr
>>>> eats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6
>>>> WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=h
>>>> Afd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VT
>>>> EphQhpXDdKtfo4TDzNGMU&e=
>>>>
>>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
>>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
>>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
>>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
>>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro 
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
>>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
>>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
>>> hpXDdKtfo4TDzNGMU&e=
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_af80be46_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=YZeGkvF9RFVojsmhvpQLWlmPpwtn-t-mzEurRfj7B74&e= >

------------------------------

Subject: Digest Footer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e= 


------------------------------

End of Emerging-sigs Digest, Vol 147, Issue 3
*********************************************


More information about the Emerging-sigs mailing list