[Emerging-Sigs] sidmap generator

Tiago Faria tiago.faria.backups at gmail.com
Mon Feb 3 12:13:42 HST 2020


Duane,

We'll have a go at developing this and post something in the gonids repo
tomorrow or Wednesday.

On Mon, Feb 3, 2020 at 9:58 PM Duane Howard <duane.security at gmail.com>
wrote:

> Tiago, I've filed an issue[0] in the project to make this functionality a
> bit more supported by the library itself. I'll try to hammer this out when
> I have some spare time, PR's are welcome.
>
> [0] https://github.com/google/gonids/issues/124
>
> On Mon, Feb 3, 2020 at 11:28 AM Tiago Faria <tiago.faria.backups at gmail.com>
> wrote:
>
>> That's a very good idea Duane, thank you.
>>
>> I'll look into using gonids and report back. Since this is going into a
>> Lambda function gonids seems like a very good fit!
>>
>> On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
>> wrote:
>>
>>> You could write a small utility using the gonids[0] parsing library.
>>> Should roughly be something like:
>>> ```
>>> package main
>>>
>>> import "github.com/google/gonids"
>>>
>>> func main() {
>>>   r, err := gonids.ParseRule(rule)
>>>   if err != nil {
>>>     // Handle parse error
>>>   }
>>>   var msgmap []string
>>>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>>>   msgmap = append(msgmap, r.Description)
>>>   for _, ref := range r.References {
>>>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>>>   }
>>>   fmt.Println(strings.Join(msgmap, " || "))
>>> }
>>> ```
>>>
>>> [0] https://github.com/google/gonids
>>>
>>> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
>>> jwilliams at emergingthreats.net> wrote:
>>>
>>>> Tiago,
>>>>
>>>> create-sidmap.pl is part of the oinkmaster distribution, take a look
>>>> there
>>>>
>>>> http://oinkmaster.sourceforge.net/faq.shtml
>>>>
>>>> HTH,
>>>>
>>>> Jason
>>>>
>>>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
>>>> tiago.faria.backups at gmail.com> wrote:
>>>>
>>>>> Hi list,
>>>>>
>>>>> I know this is a bit of a weird request but was wondering if the
>>>>> script that generates https://rules.emergingthreats.net/sidmap/ is
>>>>> available anywhere online? Looked on ET GH but couldn't find it.
>>>>>
>>>>> I would really like to create something similar for other rulesets
>>>>> (and even combine other rulesets and provide a general sidmap; easier for
>>>>> querying or feeding other systems) and the best I came up with 'while read
>>>>> -r line' is far from what it should be. :)
>>>>>
>>>>> Perfectly understand if the ET team can't share, just thought I'd ask
>>>>> :)
>>>>>
>>>>> Thank you!
>>>>> T
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>> http://www.emergingthreats.net
>>>>>
>>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200203/4a729c00/attachment.html>


More information about the Emerging-sigs mailing list