From c4206b2f620fa56cc51e3d9de382ba00e5637151 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sat, 20 Mar 2021 03:38:35 +0000 Subject: [PATCH] post: urlhaus-filter and phishing-filter available as Snort and Suricata rules --- .../_posts/urlhaus-phishing-snort-suricata.md | 150 ++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 source/_posts/urlhaus-phishing-snort-suricata.md diff --git a/source/_posts/urlhaus-phishing-snort-suricata.md b/source/_posts/urlhaus-phishing-snort-suricata.md new file mode 100644 index 0000000..f77ad4d --- /dev/null +++ b/source/_posts/urlhaus-phishing-snort-suricata.md @@ -0,0 +1,150 @@ +--- +title: urlhaus-filter and phishing-filter available as Snort and Suricata rules +excerpt: Tested on Snort 2, Snort 3 and Suricata 6 +date: 2021-03-20 +tags: +- security +--- + +[urlhaus-filter](https://gitlab.com/curben/urlhaus-filter) and [phishing-filter](https://gitlab.com/curben/phishing-filter) are blocklists that target malware and phishing websites respectively. The blocklists are available in many formats: + +- uBlock Origin (urlhaus-filter is bundled by default) +- Pi-hole +- AdGuard Home +- AdGuard (browser extension) +- Vivaldi 3.3+ +- Hosts file +- Dnsmasq +- BIND +- Unbound +- IE9+ + +In addition to the above formats/software, they are now also available as [Snort](https://www.snort.org/) and [Suricata](https://suricata-ids.org/) IDS rulesets. Both Snort 2 and 3 are supported; a vast majority of Linux distribution have not support v3 yet and there are no official v3 binaries. Note that Snort 2 ruleset is not compatible with Snort 3 and vice versa. + +I planned to create these IDS rulesets for a long time, but held it off because upstream [URLhaus](https://urlhaus.abuse.ch) already support them and there was no user request. I finally decided to go for it after the product announcement of [AWS Firewall](https://aws.amazon.com/blogs/aws/aws-network-firewall-new-managed-firewall-service-in-vpc/) with its support of custom Suricata ruleset, plus incomplete support of URLhaus on Snort 2 ruleset. + +Installation guide as follow. + +## urlhaus-filter + +### Snort2 + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort2-online.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort2-online.rules"\n' > /etc/cron.daily/urlhaus-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/urlhaus-filter + +# Configure Snort to use the ruleset +printf "\ninclude \$RULE_PATH/urlhaus-filter-snort2-online.rules\n" >> /etc/snort/snort.conf +``` + +### Snort3 + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort3-online.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort3-online.rules"\n' > /etc/cron.daily/urlhaus-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/urlhaus-filter +``` + +Configure Snort to use the ruleset: + +``` diff /etc/snort/snort.lua +ips = +{ + variables = default_variables, ++ include = 'rules/urlhaus-filter-snort3-online.rules' +} +``` + +### Suricata + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules" -o "/etc/suricata/rules/urlhaus-filter-suricata-online.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules" -o "/etc/suricata/rules/urlhaus-filter-suricata-online.rules"\n' > /etc/cron.daily/urlhaus-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/urlhaus-filter +``` + +Configure Suricata to use the ruleset: + +``` diff /etc/suricata/suricata.yaml +rule-files: + - local.rules ++ - urlhaus-filter-suricata-online.rules +``` + +## phishing-filter + +### Snort2 + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"\n' > /etc/cron.daily/phishing-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/phishing-filter + +# Configure Snort to use the ruleset +printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf +``` + +### Snort3 + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/phishing-filter +``` + +Configure Snort to use the ruleset: + +``` diff /etc/snort/snort.lua +ips = +{ + variables = default_variables, ++ include = 'rules/phishing-filter-snort3-online.rules' +} +``` + +### Suricata + +``` +# Download ruleset +curl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules" + +# Create a new cron job for daily update +printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"\n' > /etc/cron.daily/phishing-filter + +# cron job requires execution permission +chmod 755 /etc/cron.daily/phishing-filter +``` + +Configure Suricata to use the ruleset: + +``` diff /etc/suricata/suricata.yaml +rule-files: + - local.rules ++ - phishing-filter-suricata.rules +``` \ No newline at end of file