curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: add Snort3 ruleset

This commit is contained in:
MDLeom 2021-03-19 19:03:25 +00:00
parent 2aec08cf9e
commit 4d0b92434b
3 changed files with 9496 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
README.md
View File

@ -15,6 +15,7 @@ There are multiple formats available, refer to the appropriate section according
- [Unbound](#unbound)
- Internet Explorer -> [Tracking Protection List (IE)](#tracking-protection-list-ie)
- [Snort2](#snort2)
- [Snort3](#snort3)
- [Suricata](#suricata)
Not sure which format to choose? See [Compatibility](https://gitlab.com/curben/urlhaus-filter/wikis/compatibility) page.
@ -273,7 +274,7 @@ This blocklist includes domains only.
## Snort2
This ruleset includes online URLs only. Not compatible with Snort3.
This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
### Install
@ -305,6 +306,48 @@ printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snor
</details>
## Snort3
This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
### Install
```
# Download ruleset
curl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
```
Configure Snort to use the ruleset:
``` diff
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/phishing-filter-snort3-online.rules'
}
```
- https://curben.gitlab.io/phishing-filter-mirror/phishing-filter-snort3.rules
<details>
<summary>Mirrors</summary>
- https://cdn.statically.io/gl/curben/phishing-filter/master/dist/phishing-filter-snort3.rules
- https://glcdn.githack.com/curben/phishing-filter/raw/master/dist/phishing-filter-snort3.rules
- https://raw.githubusercontent.com/curbengh/phishing-filter/master/dist/phishing-filter-snort3.rules
- https://cdn.statically.io/gh/curbengh/phishing-filter/master/dist/phishing-filter-snort3.rules
- https://gitcdn.xyz/repo/curbengh/phishing-filter/master/dist/phishing-filter-snort3.rules
- https://cdn.jsdelivr.net/gh/curbengh/phishing-filter/dist/phishing-filter-snort3.rules
</details>
## Suricata
This ruleset includes online URLs only.

9438
dist/phishing-filter-snort3.rules vendored Normal file
View File

File diff suppressed because it is too large Load Diff

15
src/script.sh
View File

@ -227,15 +227,20 @@ sed "1s/Blocklist/Unbound Blocklist/" > "../dist/phishing-filter-unbound.conf"
set +x
## Snort & Suricata rulesets
rm -f "../dist/phishing-filter-snort2.rules" "../dist/phishing-filter-suricata.rules"
rm -f "../dist/phishing-filter-snort2.rules" \
"../dist/phishing-filter-snort3.rules" \
"../dist/phishing-filter-suricata.rules"
SID="100000001"
while read DOMAIN; do
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
echo "$SN_RULE" >> "../dist/phishing-filter-snort2.rules"
echo "$SN3_RULE" >> "../dist/phishing-filter-snort3.rules"
echo "$SR_RULE" >> "../dist/phishing-filter-suricata.rules"
SID=$(( $SID + 1 ))
@ -247,9 +252,12 @@ while read URL; do
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:attempted-recon; sid:$SID; rev:1;)"
echo "$SN_RULE" >> "../dist/phishing-filter-snort2.rules"
echo "$SN3_RULE" >> "../dist/phishing-filter-snort3.rules"
echo "$SR_RULE" >> "../dist/phishing-filter-suricata.rules"
SID=$(( $SID + 1 ))
@ -262,6 +270,11 @@ sed '1 i\'"$COMMENT"'' | \
sed "1s/Domains Blocklist/URL Snort2 Ruleset/" > "../dist/phishing-filter-snort2.rules.temp"
mv "../dist/phishing-filter-snort2.rules.temp" "../dist/phishing-filter-snort2.rules"
cat "../dist/phishing-filter-snort3.rules" | \
sed '1 i\'"$COMMENT"'' | \
sed "1s/Domains Blocklist/URL Snort3 Ruleset/" > "../dist/phishing-filter-snort3.rules.temp"
mv "../dist/phishing-filter-snort3.rules.temp" "../dist/phishing-filter-snort3.rules"
cat "../dist/phishing-filter-suricata.rules" | \
sed '1 i\'"$COMMENT"'' | \
sed "1s/Domains Blocklist/URL Suricata Ruleset/" > "../dist/phishing-filter-suricata.rules.temp"