[Emerging-Sigs] Emerging-sigs Digest, Vol 147, Issue 3

Tiago Faria tiago.faria.backups at gmail.com
Mon Feb 3 14:33:10 HST 2020


Ah! Valid point and something I forgot to mention. We migrated to 5.x.
That’s not something I feel confident about addressing in a PR though :)

On Tue, 4 Feb 2020 at 00:12, Duane Howard <duane.security at gmail.com> wrote:

> Glad this seems interesting to you Matthew.
> Worth noting, for anyone that has jumped to Suricata 5.X GoNIDS does *not*
> support parsing 5.X style signatures yet, and I'm not quite sure when I'll
> be able to dive into this (nor do I really know how we want to structure
> this functionality) and there are a few Snort only keywords that are not
> supported.
>
> PRs, and issues always welcome!
>
> ./d
>
> On Mon, Feb 3, 2020 at 2:07 PM Matthew Clairmont (R* NYC) <
> Matthew.Clairmont at rockstargames.com> wrote:
>
>> GoNIDS may have just saved me a lot of automation work. I've recently
>> started more signature automation using Go but it was nowhere the quality
>> (or finesse) of what GoNIDS seems to offer!
>>
>> -----Original Message-----
>> From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> On
>> Behalf Of emerging-sigs-request at lists.emergingthreats.net
>> Sent: Monday, February 3, 2020 05:00 PM
>> To: emerging-sigs at lists.emergingthreats.net
>> Subject: Emerging-sigs Digest, Vol 147, Issue 3
>>
>> ** EXTERNAL EMAIL **
>>
>> Send Emerging-sigs mailing list submissions to
>>         emerging-sigs at lists.emergingthreats.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>> or, via email, send a message with subject or body 'help' to
>>         emerging-sigs-request at lists.emergingthreats.net
>>
>> You can reach the person managing the list at
>>         emerging-sigs-owner at lists.emergingthreats.net
>>
>> When replying, please edit your Subject line so it is more specific than
>> "Re: Contents of Emerging-sigs digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: sidmap generator (Tiago Faria)
>>    2. Re: sidmap generator (Duane Howard)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 3 Feb 2020 19:28:02 +0000
>> From: Tiago Faria <tiago.faria.backups at gmail.com>
>> To: Duane Howard <duane.security at gmail.com>
>> Cc: Jason Williams <jwilliams at emergingthreats.net>,
>>         "emerging-sigs at emergingthreats.net"
>>         <Emerging-sigs at emergingthreats.net>
>> Subject: Re: [Emerging-Sigs] sidmap generator
>> Message-ID:
>>         <CAF8FeX-CjoFTjfCL8g=
>> XDh83jYX69Vs79-Qf35ooUJVHTcqcdA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> That's a very good idea Duane, thank you.
>>
>> I'll look into using gonids and report back. Since this is going into a
>> Lambda function gonids seems like a very good fit!
>>
>> On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
>> wrote:
>>
>> > You could write a small utility using the gonids[0] parsing library.
>> > Should roughly be something like:
>> > ```
>> > package main
>> >
>> > import "github.com/google/gonids"
>> >
>> > func main() {
>> >   r, err := gonids.ParseRule(rule)
>> >   if err != nil {
>> >     // Handle parse error
>> >   }
>> >   var msgmap []string
>> >   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>> >   msgmap = append(msgmap, r.Description)
>> >   for _, ref := range r.References {
>> >     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>> >   }
>> >   fmt.Println(strings.Join(msgmap, " || ")) } ```
>> >
>> > [0]
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google
>> > _gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
>> > 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ue
>> > ABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1CFaL
>> > HufPhRq4k8g&e=
>> >
>> > On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
>> > jwilliams at emergingthreats.net> wrote:
>> >
>> >> Tiago,
>> >>
>> >> create-sidmap.pl is part of the oinkmaster distribution, take a look
>> >> there
>> >>
>> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.source
>> >> forge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu
>> >> 3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K
>> >> _0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r4zqB
>> >> V1EwncAtS-6Az0Qt-BvEag7-YE&e=
>> >>
>> >> HTH,
>> >>
>> >> Jason
>> >>
>> >> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
>> >> tiago.faria.backups at gmail.com> wrote:
>> >>
>> >>> Hi list,
>> >>>
>> >>> I know this is a bit of a weird request but was wondering if the
>> >>> script that generates
>> >>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=
>> is available anywhere online? Looked on ET GH but couldn't find it.
>> >>>
>> >>> I would really like to create something similar for other rulesets
>> >>> (and even combine other rulesets and provide a general sidmap;
>> >>> easier for querying or feeding other systems) and the best I came up
>> >>> with 'while read -r line' is far from what it should be. :)
>> >>>
>> >>> Perfectly understand if the ET team can't share, just thought I'd
>> >>> ask :)
>> >>>
>> >>> Thank you!
>> >>> T
>> >>> _______________________________________________
>> >>> Emerging-sigs mailing list
>> >>> Emerging-sigs at lists.emergingthreats.net
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
>> >>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
>> >>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
>> >>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
>> >>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>> >>>
>> >>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
>> >>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>> >>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
>> >>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
>> >>> hpXDdKtfo4TDzNGMU&e=
>> >>>
>> >>> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at lists.emergingthreats.net
>> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingth
>> >> reats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vD
>> >> Cbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBL
>> >> iLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ1
>> >> 1qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthrea
>> >> ts.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY
>> >> 5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55u
>> >> eABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQhpXD
>> >> dKtfo4TDzNGMU&e=
>> >>
>> >>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_462006d1_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=GmnrEa6NYm8ejb6KbL-HqiLcnIPhy0_tJyNB2tWEXdc&e=
>> >
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 3 Feb 2020 13:58:05 -0800
>> From: Duane Howard <duane.security at gmail.com>
>> To: Tiago Faria <tiago.faria.backups at gmail.com>
>> Cc: Jason Williams <jwilliams at emergingthreats.net>,
>>         "emerging-sigs at emergingthreats.net"
>>         <Emerging-sigs at emergingthreats.net>
>> Subject: Re: [Emerging-Sigs] sidmap generator
>> Message-ID:
>>         <CAH9u3cuSyqDr9h+skg85iNn3hm5N2+gTJD=
>> BiTmTaw4H26r6iw at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Tiago, I've filed an issue[0] in the project to make this functionality a
>> bit more supported by the library itself. I'll try to hammer this out when
>> I have some spare time, PR's are welcome.
>>
>> [0]
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_google_gonids_issues_124&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=_sY24cmDZercWOe_dy5R8d0sCvY1cFjS_ThYH3p9pzs&e=
>>
>> On Mon, Feb 3, 2020 at 11:28 AM Tiago Faria <
>> tiago.faria.backups at gmail.com>
>> wrote:
>>
>> > That's a very good idea Duane, thank you.
>> >
>> > I'll look into using gonids and report back. Since this is going into
>> > a Lambda function gonids seems like a very good fit!
>> >
>> > On Mon, Feb 3, 2020 at 7:06 PM Duane Howard <duane.security at gmail.com>
>> > wrote:
>> >
>> >> You could write a small utility using the gonids[0] parsing library.
>> >> Should roughly be something like:
>> >> ```
>> >> package main
>> >>
>> >> import "github.com/google/gonids"
>> >>
>> >> func main() {
>> >>   r, err := gonids.ParseRule(rule)
>> >>   if err != nil {
>> >>     // Handle parse error
>> >>   }
>> >>   var msgmap []string
>> >>   msgmap = append(msgmap, fmt.Sprintf("%d", r.SID))
>> >>   msgmap = append(msgmap, r.Description)
>> >>   for _, ref := range r.References {
>> >>     msgmap = append(msgmap, fmt.Sprintf("%s,%s", ref.Type, ref.Value))
>> >>   }
>> >>   fmt.Println(strings.Join(msgmap, " || ")) } ```
>> >>
>> >> [0]
>> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_googl
>> >> e_gonids&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>> >> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd5
>> >> 5ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=wQeoEzkmyjFSFZWBfA9E6jNRKRO1
>> >> CFaLHufPhRq4k8g&e=
>> >>
>> >> On Mon, Feb 3, 2020 at 10:27 AM Jason Williams <
>> >> jwilliams at emergingthreats.net> wrote:
>> >>
>> >>> Tiago,
>> >>>
>> >>> create-sidmap.pl is part of the oinkmaster distribution, take a look
>> >>> there
>> >>>
>> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__oinkmaster.sourc
>> >>> eforge.net_faq.shtml&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGT
>> >>> vu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j
>> >>> 83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Oh7MKVHlxpL6r
>> >>> 4zqBV1EwncAtS-6Az0Qt-BvEag7-YE&e=
>> >>>
>> >>> HTH,
>> >>>
>> >>> Jason
>> >>>
>> >>> On Mon, Feb 3, 2020 at 11:15 AM Tiago Faria <
>> >>> tiago.faria.backups at gmail.com> wrote:
>> >>>
>> >>>> Hi list,
>> >>>>
>> >>>> I know this is a bit of a weird request but was wondering if the
>> >>>> script that generates
>> >>>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rules.emergingthreats.net_sidmap_&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=d1mFDCcQMbzItmbcothW316RL4naaCLZQdJ9JgkmS-c&e=
>> is available anywhere online? Looked on ET GH but couldn't find it.
>> >>>>
>> >>>> I would really like to create something similar for other rulesets
>> >>>> (and even combine other rulesets and provide a general sidmap;
>> >>>> easier for querying or feeding other systems) and the best I came
>> >>>> up with 'while read -r line' is far from what it should be. :)
>> >>>>
>> >>>> Perfectly understand if the ET team can't share, just thought I'd
>> >>>> ask :)
>> >>>>
>> >>>> Thank you!
>> >>>> T
>> >>>> _______________________________________________
>> >>>> Emerging-sigs mailing list
>> >>>> Emerging-sigs at lists.emergingthreats.net
>> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emerging
>> >>>> threats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGd
>> >>>> p5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnV
>> >>>> eHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7
>> >>>> NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>> >>>>
>> >>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthr
>> >>>> eats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6
>> >>>> WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=h
>> >>>> Afd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VT
>> >>>> EphQhpXDdKtfo4TDzNGMU&e=
>> >>>>
>> >>>> _______________________________________________
>> >>> Emerging-sigs mailing list
>> >>> Emerging-sigs at lists.emergingthreats.net
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingt
>> >>> hreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5
>> >>> vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHH
>> >>> RBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEf
>> >>> RzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>> >>>
>> >>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.emergingthre
>> >>> ats.net&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6Wr
>> >>> fY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd
>> >>> 55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=Fkoid9eO7S4ERnu-K0Z2VTEphQ
>> >>> hpXDdKtfo4TDzNGMU&e=
>> >>>
>> >>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200203_af80be46_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=YZeGkvF9RFVojsmhvpQLWlmPpwtn-t-mzEurRfj7B74&e=
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=hAfd55ueABKZMh15E7DCgKxcq1eJmyj7NdEfRzJ11qg&s=-Fm97yYt2QkSjrh6DdAg3B4CiE-LAro_9kj6M_k67Eo&e=
>>
>>
>> ------------------------------
>>
>> End of Emerging-sigs Digest, Vol 147, Issue 3
>> *********************************************
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200204/d02c8991/attachment-0001.html>


More information about the Emerging-sigs mailing list