[Emerging-Sigs] Emerging-sigs Digest, Vol 147, Issue 3

Duane Howard duane.security at gmail.com
Mon Feb 3 14:11:53 HST 2020


Glad this seems interesting to you Matthew.
Worth noting, for anyone that has jumped to Suricata 5.X GoNIDS does *not*
support parsing 5.X style signatures yet, and I'm not quite sure when I'll
be able to dive into this (nor do I really know how we want to structure
this functionality) and there are a few Snort only keywords that are not
supported.

PRs, and issues always welcome!

./d

On Mon, Feb 3, 2020 at 2:07 PM Matthew Clairmont (R* NYC) <
Matthew.Clairmont at rockstargames.com> wrote:

> GoNIDS may have just saved me a lot of automation work. I've recently
> started more signature automation using Go but it was nowhere the quality
> (or finesse) of what GoNIDS seems to offer!
>
> -----Original Message-----
> From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> On
> Behalf Of emerging-sigs-request at lists.emergingthreats.net
> Sent: Monday, February 3, 2020 05:00 PM
> To: emerging-sigs at lists.emergingthreats.net
> Subject: Emerging-sigs Digest, Vol 147, Issue 3
>
> ** EXTERNAL EMAIL **
>
> Send Emerging-sigs mailing list submissions to
>         emerging-sigs at lists.emergingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
> or, via email, send a message with subject or body 'help' to
>         emerging-sigs-request at lists.emergingthreats.net
>
> You can reach the person managing the list at
>         emerging-sigs-owner at lists.emergingthreats.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Emerging-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: sidmap generator (Tiago Faria)
>    2. Re: sidmap generator (Duane Howard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 3 Feb 2020 19:28:02 +0000
> From: Tiago Faria <tiago.faria.backups at gmail.com>
> To: Duane Howard <duane.security at gmail.com>
> Cc: Jason Williams <jwilliams at emergingthreats.net>,
>         "emerging-sigs at emergingthreats.net"
>         <Emerging-sigs at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] sidmap generator
> Message-ID:
>         <CAF8FeX-CjoFTjfCL8g=
> XDh83jYX69Vs79-Qf35ooUJVHTcqcdA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> That's a very good idea Duane, thank you.
>
> I'll look into using gonids and report back. Since this is going into a
> Lambda function gonids seems like a very good fit!
>
> On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
> wrote:
>
> > You could write a small utility using the gonids[0] parsing library.
> > Should roughly be something like:
> > ```
> > package main
> >
> > import "github.com/google/gonids"
> >
> > func main() {
> >   r, err := gonids.ParseRule(rule)
> >   if err != nil {
> >     // Handle parse error
> >   }
> >   var msgmap []string
> >   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
> >   msgmap = append(msgmap, r.Description)
> >   for _, ref := range r.References {
> >     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
> >   }
> >   fmt.Println(strings.Join(msgmap, " || ")) } ```
> >
> > [0]
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google
> > _gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
> > 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ue
> > ABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1CFaL
> > HufPhRq4k8g&e=
> >
> > On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
> > jwilliams at emergingthreats.net> wrote:
> >
> >> Tiago,
> >>
> >> create-sidmap.pl is part of the oinkmaster distribution, take a look
> >> there
> >>
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.source
> >> forge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu
> >> 3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K
> >> _0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r4zqB
> >> V1EwncAtS-6Az0Qt-BvEag7-YE&e=
> >>
> >> HTH,
> >>
> >> Jason
> >>
> >> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
> >> tiago.faria.backups at gmail.com> wrote:
> >>
> >>> Hi list,
> >>>
> >>> I know this is a bit of a weird request but was wondering if the
> >>> script that generates
> >>>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=
> is available anywhere online? Looked on ET GH but couldn't find it.
> >>>
> >>> I would really like to create something similar for other rulesets
> >>> (and even combine other rulesets and provide a general sidmap;
> >>> easier for querying or feeding other systems) and the best I came up
> >>> with 'while read -r line' is far from what it should be. :)
> >>>
> >>> Perfectly understand if the ET team can't share, just thought I'd
> >>> ask :)
> >>>
> >>> Thank you!
> >>> T
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at lists.emergingthreats.net
> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
> >>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
> >>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
> >>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
> >>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
> >>>
> >>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
> >>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
> >>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
> >>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
> >>> hpXDdKtfo4TDzNGMU&e=
> >>>
> >>> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at lists.emergingthreats.net
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingth
> >> reats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vD
> >> Cbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBL
> >> iLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ1
> >> 1qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthrea
> >> ts.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
> >> 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55u
> >> eABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQhpXD
> >> dKtfo4TDzNGMU&e=
> >>
> >>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_462006d1_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=GmnrEa6NYm8ejb6KbL-HqiLcnIPhy0_tJyNB2tWEXdc&e=
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 3 Feb 2020 13:58:05 -0800
> From: Duane Howard <duane.security at gmail.com>
> To: Tiago Faria <tiago.faria.backups at gmail.com>
> Cc: Jason Williams <jwilliams at emergingthreats.net>,
>         "emerging-sigs at emergingthreats.net"
>         <Emerging-sigs at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] sidmap generator
> Message-ID:
>         <CAH9u3cuSyqDr9h+skg85iNn3hm5N2+gTJD=
> BiTmTaw4H26r6iw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Tiago, I've filed an issue[0] in the project to make this functionality a
> bit more supported by the library itself. I'll try to hammer this out when
> I have some spare time, PR's are welcome.
>
> [0]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google_gonids_issues_124&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=_sY24cmDZercWOe_dy5R8d0sCvY1cFjS_ThYH3p9pzs&e=
>
> On Mon, Feb 3, 2020 at 11:28 AM Tiago Faria <tiago.faria.backups at gmail.com
> >
> wrote:
>
> > That's a very good idea Duane, thank you.
> >
> > I'll look into using gonids and report back. Since this is going into
> > a Lambda function gonids seems like a very good fit!
> >
> > On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
> > wrote:
> >
> >> You could write a small utility using the gonids[0] parsing library.
> >> Should roughly be something like:
> >> ```
> >> package main
> >>
> >> import "github.com/google/gonids"
> >>
> >> func main() {
> >>   r, err := gonids.ParseRule(rule)
> >>   if err != nil {
> >>     // Handle parse error
> >>   }
> >>   var msgmap []string
> >>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
> >>   msgmap = append(msgmap, r.Description)
> >>   for _, ref := range r.References {
> >>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
> >>   }
> >>   fmt.Println(strings.Join(msgmap, " || ")) } ```
> >>
> >> [0]
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_googl
> >> e_gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
> >> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd5
> >> 5ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1
> >> CFaLHufPhRq4k8g&e=
> >>
> >> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
> >> jwilliams at emergingthreats.net> wrote:
> >>
> >>> Tiago,
> >>>
> >>> create-sidmap.pl is part of the oinkmaster distribution, take a look
> >>> there
> >>>
> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.sourc
> >>> eforge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGT
> >>> vu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j
> >>> 83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r
> >>> 4zqBV1EwncAtS-6Az0Qt-BvEag7-YE&e=
> >>>
> >>> HTH,
> >>>
> >>> Jason
> >>>
> >>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
> >>> tiago.faria.backups at gmail.com> wrote:
> >>>
> >>>> Hi list,
> >>>>
> >>>> I know this is a bit of a weird request but was wondering if the
> >>>> script that generates
> >>>>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=
> is available anywhere online? Looked on ET GH but couldn't find it.
> >>>>
> >>>> I would really like to create something similar for other rulesets
> >>>> (and even combine other rulesets and provide a general sidmap;
> >>>> easier for querying or feeding other systems) and the best I came
> >>>> up with 'while read -r line' is far from what it should be. :)
> >>>>
> >>>> Perfectly understand if the ET team can't share, just thought I'd
> >>>> ask :)
> >>>>
> >>>> Thank you!
> >>>> T
> >>>> _______________________________________________
> >>>> Emerging-sigs mailing list
> >>>> Emerging-sigs at lists.emergingthreats.net
> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emerging
> >>>> threats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGd
> >>>> p5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnV
> >>>> eHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7
> >>>> NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
> >>>>
> >>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthr
> >>>> eats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6
> >>>> WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=h
> >>>> Afd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VT
> >>>> EphQhpXDdKtfo4TDzNGMU&e=
> >>>>
> >>>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at lists.emergingthreats.net
> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
> >>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
> >>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
> >>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
> >>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
> >>>
> >>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
> >>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
> >>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
> >>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
> >>> hpXDdKtfo4TDzNGMU&e=
> >>>
> >>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_af80be46_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=YZeGkvF9RFVojsmhvpQLWlmPpwtn-t-mzEurRfj7B74&e=
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>
>
> ------------------------------
>
> End of Emerging-sigs Digest, Vol 147, Issue 3
> *********************************************
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200203/25308506/attachment-0001.html>


More information about the Emerging-sigs mailing list