From 6823609786c7a9eadf7121165d71ade15d1b3965 Mon Sep 17 00:00:00 2001 From: MDLeom <2809763-curben@users.noreply.gitlab.com> Date: Sun, 18 May 2025 08:20:43 +0000 Subject: [PATCH] feat: SNI inspection using Suricata inspired by https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf --- README.md | 7 +++++++ src/ids.js | 5 +++++ src/script.sh | 4 ++++ 3 files changed, 16 insertions(+) diff --git a/README.md b/README.md index fd13af53..14bf7281 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ - [Snort2](#snort2) - [Snort3](#snort3) - [Suricata](#suricata) + - [Suricata (SNI)](#suricata-sni) - [Splunk](#splunk) - [Tracking Protection List (IE)](#tracking-protection-list-ie) - [Compressed version](#compressed-version) @@ -42,6 +43,7 @@ A blocklist of phishing websites, curated from [OpenPhish](https://openphish.com | [Snort2](#snort2) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-snort2.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-snort2.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort2.rules) | [br](https://malware-filter.pages.dev/phishing-filter-snort2.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-snort2.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-snort2.rules) | | [Snort3](#snort3) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-snort3.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-snort3.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort3.rules) | [br](https://malware-filter.pages.dev/phishing-filter-snort3.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-snort3.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-snort3.rules) | | [Suricata](#suricata) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-suricata.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-suricata.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-suricata.rules) | [br](https://malware-filter.pages.dev/phishing-filter-suricata.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-suricata.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-suricata.rules) | +| [Suricata (SNI)](#suricata-sni)| [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata-sni.rules) | [link](https://curbengh.github.io/malware-filter/phishing-filter-suricata-sni.rules) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-suricata-sni.rules) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-suricata-sni.rules) | [br](https://malware-filter.pages.dev/phishing-filter-suricata-sni.rules.br)/[gz](https://malware-filter.pages.dev/phishing-filter-suricata-sni.rules.gz) | [link](https://phishing-filter.pages.dev/phishing-filter-suricata-sni.rules) | | [Splunk](#splunk) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv) | [link](https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv) | [link](https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv) | [link](https://malware-filter.pages.dev/phishing-filter-splunk.csv) | [link](https://phishing-filter.pages.dev/phishing-filter-splunk.csv) | | [Internet Explorer](#tracking-protection-list-ie) | [link](https://malware-filter.gitlab.io/malware-filter/phishing-filter.tpl) | [link](https://curbengh.github.io/malware-filter/phishing-filter.tpl) | [link](https://curbengh.github.io/phishing-filter/phishing-filter.tpl) | [link](https://malware-filter.gitlab.io/phishing-filter/phishing-filter.tpl) | [link](https://malware-filter.pages.dev/phishing-filter.tpl) | [link](https://phishing-filter.pages.dev/phishing-filter.tpl) | @@ -196,6 +198,11 @@ rule-files: + - phishing-filter-suricata.rules ``` +### Suricata (SNI) + +This ruleset includes online domains only. It enables Suricata to detect malicious HTTPS-enabled domains by inspecting the SNI in the [unencrypted ClientHello](https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications) message. There is increasing support for encrypted Client Hello which defeats SNI inspection. + + ## Splunk A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions). diff --git a/src/ids.js b/src/ids.js index d978f61a..888e71ee 100644 --- a/src/ids.js +++ b/src/ids.js @@ -18,6 +18,10 @@ const suricata = createWriteStream('../public/phishing-filter-suricata.rules', { encoding: 'utf8', flags: 'a' }) +const suricataSni = createWriteStream('../public/phishing-filter-suricata-sni.rules', { + encoding: 'utf8', + flags: 'a' +}) const splunk = createWriteStream('../public/phishing-filter-splunk.csv', { encoding: 'utf8', flags: 'a' @@ -29,6 +33,7 @@ for await (const domain of domains.readLines()) { snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"phishing-filter phishing website detected"; flow:established,from_client; content:"GET"; http_method; content:"${domain}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`) snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; http_header:field host; content:"${domain}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`) suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; http.method; content:"GET"; http.host; content:"${domain}"; classtype:attempted-recon; sid:${sid} rev:1;)\n`) + suricataSni.write(`alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; tls.sni; bsize:32; content:"${domain}"; fast_pattern; classtype:attempted-recon; sid:${sid} rev:1;)\n`) splunk.write(`"${domain}","","phishing-filter phishing website detected","${process.env.CURRENT_TIME}"\n`) sid++ diff --git a/src/script.sh b/src/script.sh index ef773580..6e9f3fb7 100644 --- a/src/script.sh +++ b/src/script.sh @@ -393,6 +393,7 @@ sed "1s/Domains/Wildcard Asterisk/" > "../public/phishing-filter-wildcard.txt" rm "../public/phishing-filter-snort2.rules" \ "../public/phishing-filter-snort3.rules" \ "../public/phishing-filter-suricata.rules" \ + "../public/phishing-filter-suricata-sni.rules" \ "../public/phishing-filter-splunk.csv" export CURRENT_TIME @@ -407,6 +408,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/phishing-filter-sno sed -i "1i $COMMENT" "../public/phishing-filter-suricata.rules" sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/phishing-filter-suricata.rules" +sed -i "1i $COMMENT" "../public/phishing-filter-suricata-sni.rules" +sed -i "1s/Domains Blocklist/Domain Suricata Ruleset (SNI)/" "../public/phishing-filter-suricata-sni.rules" + sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/phishing-filter-splunk.csv" sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/phishing-filter-splunk.csv"