feat: add Snort2 and Suricata rulesets

2021-03-18 10:18:59 +00:00 · 2021-03-18 10:18:59 +00:00 · 3aa9130189
parent 74192f7e91
commit 3aa9130189
4 changed files with 10863 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -14,6 +14,8 @@ There are multiple formats available, refer to the appropriate section according
 - [BIND](#bind)
 - [Unbound](#unbound)
 - Internet Explorer -> [Tracking Protection List (IE)](#tracking-protection-list-ie)
+- [Snort2](#snort2)
+- [Suricata](#suricata)

 Not sure which format to choose? See [Compatibility](https://gitlab.com/curben/urlhaus-filter/wikis/compatibility) page in the wiki.

@ -450,6 +452,80 @@ Lite version (online domains only):

 </details>

+## Snort2
+
+This ruleset includes online URLs only. Not compatible with Snort3.
+
+### Install
+
+```
+# Download ruleset
+curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort2-online.rules"
+
+# Create a new cron job for daily update
+printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort2-online.rules"\n' > /etc/cron.daily/urlhaus-filter
+
+# cron job requires execution permission
+chmod 755 /etc/cron.daily/urlhaus-filter
+
+# Configure Snort to use the ruleset
+printf "\ninclude \$RULE_PATH/urlhaus-filter-snort2-online.rules\n" >> /etc/snort/snort.conf
+```
+
+- https://curben.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules
+
+<details>
+<summary>Mirrors</summary>
+
+- https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-snort2-online.rules
+- https://glcdn.githack.com/curben/urlhaus-filter/raw/master/urlhaus-filter-snort2-online.rules
+- https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-snort2-online.rules
+- https://cdn.statically.io/gh/curbengh/urlhaus-filter/master/urlhaus-filter-snort2-online.rules
+- https://gitcdn.xyz/repo/curbengh/urlhaus-filter/master/urlhaus-filter-snort2-online.rules
+- https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-snort2-online.rules
+
+</details>
+
+## Suricata
+
+This ruleset includes online URLs only.
+
+### Install
+
+```
+# Download ruleset
+curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules" -o "/etc/suricata/rules/urlhaus-filter-suricata-online.rules"
+
+# Create a new cron job for daily update
+printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules" -o "/etc/suricata/rules/urlhaus-filter-suricata-online.rules"\n' > /etc/cron.daily/urlhaus-filter
+
+# cron job requires execution permission
+chmod 755 /etc/cron.daily/urlhaus-filter
+```
+
+Configure Suricata to use the ruleset:
+
+``` diff
+# /etc/suricata/suricata.yaml
+rule-files:
+  - local.rules
+  - urlhaus-filter-suricata-online.rules
+```
+
+- https://curben.gitlab.io/malware-filter/urlhaus-filter-suricata-online.rules
+
+<details>
+<summary>Mirrors</summary>
+
+- https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-suricata-online.rules
+- https://glcdn.githack.com/curben/urlhaus-filter/raw/master/urlhaus-filter-suricata-online.rules
+- https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-suricata-online.rules
+- https://cdn.statically.io/gh/curbengh/urlhaus-filter/master/urlhaus-filter-suricata-online.rules
+- https://gitcdn.xyz/repo/curbengh/urlhaus-filter/master/urlhaus-filter-suricata-online.rules
+- https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-suricata-online.rules
+
+</details>
+
 ## Third-party mirrors

 <details>
--- a/script.sh
+++ b/script.sh
@ -281,6 +281,53 @@ sed '1 i\'"$COMMENT_ONLINE"'' | \
 sed "1s/Blocklist/Unbound Blocklist/" > "../urlhaus-filter-unbound-online.conf"


+## Temporarily disable command print
+set +x
+
+
+# Snort & Suricata
+rm -f "../urlhaus-filter-snort2-online.rules" "../urlhaus-filter-suricata-online.rules"
+
+SID="100000001"
+while read DOMAIN; do
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+  echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
+  echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
+
+  SID=$(( $SID + 1 ))
+done < "malware-domains-online.txt"
+
+while read URL; do
+  HOST=$(echo "$URL" | cut -d"/" -f1)
+  URI=$(echo "$URL" | sed "s/^$HOST//")
+
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$URI\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+  echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
+  echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
+
+  SID=$(( $SID + 1 ))
+done < "malware-url-top-domains-raw-online.txt"
+
+## Re-enable command print
+set -x
+
+cat "../urlhaus-filter-snort2-online.rules" | \
+sed '1 i\'"$COMMENT_ONLINE"'' | \
+sed "1s/Domains Blocklist/URL Snort2 Ruleset/" > "../urlhaus-filter-snort2-online.rules.temp"
+mv "../urlhaus-filter-snort2-online.rules.temp" "../urlhaus-filter-snort2-online.rules"
+
+cat "../urlhaus-filter-suricata-online.rules" | \
+sed '1 i\'"$COMMENT_ONLINE"'' | \
+sed "1s/Domains Blocklist/URL Suricata Ruleset/" > "../urlhaus-filter-suricata-online.rules.temp"
+mv "../urlhaus-filter-suricata-online.rules.temp" "../urlhaus-filter-suricata-online.rules"
+
+
 ## IE blocklist
 COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"
 COMMENT_ONLINE_IE="msFilterList\n$COMMENT_ONLINE\n: Expires=1\n#"
--- a/urlhaus-filter-snort2-online.rules
+++ b/urlhaus-filter-snort2-online.rules
--- a/urlhaus-filter-suricata-online.rules
+++ b/urlhaus-filter-suricata-online.rules