curben
/
urlhaus-filter
mirror of https://gitlab.com/malware-filter/urlhaus-filter
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: add Snort3 ruleset

This commit is contained in:
MDLeom 2021-03-19 18:41:49 +00:00
parent bd2248c7ee
commit c32c3a41f9
3 changed files with 5428 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
README.md
View File

@ -15,6 +15,7 @@ There are multiple formats available, refer to the appropriate section according
- [Unbound](#unbound)
- Internet Explorer -> [Tracking Protection List (IE)](#tracking-protection-list-ie)
- [Snort2](#snort2)
- [Snort3](#snort3)
- [Suricata](#suricata)
Not sure which format to choose? See [Compatibility](https://gitlab.com/curben/urlhaus-filter/wikis/compatibility) page in the wiki.
@ -454,7 +455,7 @@ Lite version (online domains only):
## Snort2
This ruleset includes online URLs only. Not compatible with Snort3.
This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
### Install
@ -486,6 +487,48 @@ printf "\ninclude \$RULE_PATH/urlhaus-filter-snort2-online.rules\n" >> /etc/snor
</details>
## Snort3
This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
### Install
```
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort3-online.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules" -o "/etc/snort/rules/urlhaus-filter-snort3-online.rules"\n' > /etc/cron.daily/urlhaus-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/urlhaus-filter
```
Configure Snort to use the ruleset:
``` diff
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/urlhaus-filter-snort3-online.rules'
}
```
- https://curben.gitlab.io/malware-filter/urlhaus-filter-snort3-online.rules
<details>
<summary>Mirrors</summary>
- https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-snort3-online.rules
- https://glcdn.githack.com/curben/urlhaus-filter/raw/master/urlhaus-filter-snort3-online.rules
- https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-snort3-online.rules
- https://cdn.statically.io/gh/curbengh/urlhaus-filter/master/urlhaus-filter-snort3-online.rules
- https://gitcdn.xyz/repo/curbengh/urlhaus-filter/master/urlhaus-filter-snort3-online.rules
- https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-snort3-online.rules
</details>
## Suricata
This ruleset includes online URLs only.

15
script.sh
View File

@ -286,15 +286,20 @@ set +x
# Snort & Suricata
rm -f "../urlhaus-filter-snort2-online.rules" "../urlhaus-filter-suricata-online.rules"
rm -f "../urlhaus-filter-snort2-online.rules" \
"../urlhaus-filter-snort3-online.rules" \
"../urlhaus-filter-suricata-online.rules"
SID="100000001"
while read DOMAIN; do
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
echo "$SN3_RULE" >> "../urlhaus-filter-snort3-online.rules"
echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
SID=$(( $SID + 1 ))
@ -306,9 +311,12 @@ while read URL; do
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:trojan-activity; sid:$SID; rev:1;)"
echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
echo "$SN3_RULE" >> "../urlhaus-filter-snort3-online.rules"
echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
SID=$(( $SID + 1 ))
@ -322,6 +330,11 @@ sed '1 i\'"$COMMENT_ONLINE"'' | \
sed "1s/Domains Blocklist/URL Snort2 Ruleset/" > "../urlhaus-filter-snort2-online.rules.temp"
mv "../urlhaus-filter-snort2-online.rules.temp" "../urlhaus-filter-snort2-online.rules"
cat "../urlhaus-filter-snort3-online.rules" | \
sed '1 i\'"$COMMENT_ONLINE"'' | \
sed "1s/Domains Blocklist/URL Snort3 Ruleset/" > "../urlhaus-filter-snort3-online.rules.temp"
mv "../urlhaus-filter-snort3-online.rules.temp" "../urlhaus-filter-snort3-online.rules"
cat "../urlhaus-filter-suricata-online.rules" | \
sed '1 i\'"$COMMENT_ONLINE"'' | \
sed "1s/Domains Blocklist/URL Suricata Ruleset/" > "../urlhaus-filter-suricata-online.rules.temp"

5370
urlhaus-filter-snort3-online.rules Normal file
View File

File diff suppressed because it is too large Load Diff