[Emerging-Sigs] `former_category` metadatas

Nathan nathan at packetmail.net
Tue Jun 16 17:01:30 HDT 2020


Stupid question here -- why?  If Suricata and Snort parse the rule who
cares what Go/Google/Gonads does?

'gonads is a library to parse IDS rules for engines like Snort and
Suricata.'

Why do I care about this 3rd party implementation for rule parsing?
Why should I care about other peoples gonads...er gonids?

Cheers and all the best!

Nathan Fowler




On Tue, 16 Jun 2020 15:29:44 -0700
Duane Howard <duane.security at gmail.com> wrote:

> Shameless plug again for GoNIDS
> https://github.com/google/gonids
> 
> It'll fix this for you automatically
> ```
> r := gonids.ParseRule(ruleString)
> fmt.Println(r)
> ```
> 
> If you find bugs, I'll fix them... =)
> 
> On Tue, Jun 16, 2020 at 3:00 PM Richard Gonzalez
> <rgonzalez at proofpoint.com> wrote:
> 
> > Thanks Duane - this is a formatting issue within our rule creation
> > engine and how it deals with out internal and external metadata
> > tags.
> >
> > We're working on making the released rule content a little more
> > 'graceful' for these purposes.
> >
> >
> > Thanks,
> >
> >
> > Rich
> >
> >
> > ------------------------------
> > *From:* Emerging-sigs
> > <emerging-sigs-bounces at lists.emergingthreats.net> on behalf of
> > Duane Howard <duane.security at gmail.com> *Sent:* Tuesday, June 16,
> > 2020 3:40 PM *To:* emerging-sigs at lists.emergingthreats.net <
> > emerging-sigs at lists.emergingthreats.net>
> > *Subject:* [Emerging-Sigs] `former_category` metadatas
> >
> > Stylistic question:
> >
> > Is it intended that `former_category` metadata tags are independent
> > of the other metadata tag in a given rule? Why not merge them into
> > a single one?
> >
> > For example:
> >
> > alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
> > CURRENT_EVENTS SunDown EK RIP Landing M1 B641";
> > flow:established,from_server; file_data;
> > content:"|4a694270626e525562314e30636968685a4752794b|"; *metadata:
> > former_category CURRENT_EVENTS;* classtype:trojan-activity;
> > sid:2024353; rev:2; *metadata:affected_product
> > Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product
> > Web_Browser_Plugins, attack_target Client_Endpoint, deployment
> > Perimeter, tag Exploit_Kit_Sundown, signature_severity Major,
> > created_at 2017_06_07, malware_family Exploit_Kit, updated_at
> > 2017_06_07;*)
> >
> > It also seems that this particular meta has a space following the
> > `metadata` keyword where the later ones do not.
> >  



More information about the Emerging-sigs mailing list