curben
/
vn-badsite-filter
mirror of https://gitlab.com/malware-filter/vn-badsite-filter
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

perf: rewrite IDS rule creation in javascript 

"while do" can be inefficient
previously took 1.8s is now 0.2s
This commit is contained in:
Ming Di Leom 2025-03-17 12:00:35 +00:00
parent 3f2087bbe3
commit 6815b90e14
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 37 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/ids.js Normal file
View File

@ -0,0 +1,35 @@
import { createInterface } from 'node:readline'
import { createWriteStream } from 'node:fs'
const snort2 = createWriteStream('../public/vn-badsite-filter-snort2.rules', {
encoding: 'utf8',
flags: 'a'
})
const snort3 = createWriteStream('../public/vn-badsite-filter-snort3.rules', {
encoding: 'utf8',
flags: 'a'
})
const suricata = createWriteStream('../public/vn-badsite-filter-suricata.rules', {
encoding: 'utf8',
flags: 'a'
})
const splunk = createWriteStream('../public/vn-badsite-filter-splunk.csv', {
encoding: 'utf8',
flags: 'a'
})
let sid = 500000001
for await (const domain of createInterface({ input: process.stdin })) {
snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"vn-badsite-filter malicious website detected"; flow:established,from_client; content:"GET"; http_method; content:"${domain}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"vn-badsite-filter malicious website detected"; http_header:field host; content:"${domain}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"vn-badsite-filter malicious website detected"; flow:established,from_client; http.method; content:"GET"; http.host; content:"${domain}"; classtype:attempted-recon; sid:${sid} rev:1;)\n`)
splunk.write(`"$${domain}","","vn-badsite-filter malicious website detected","${process.env.CURRENT_TIME}"\n`)
sid++
}
snort2.close()
snort3.close()
suricata.close()
splunk.close()

23
src/script.sh
View File

@ -182,34 +182,15 @@ sed "1i $COMMENT_IE" | \
sed "2s/Domains Blocklist/Hosts Blocklist (IE)/" > "../public/vn-badsite-filter.tpl"
set +x
## Snort & Suricata rulesets
rm -f "../public/vn-badsite-filter-snort2.rules" \
"../public/vn-badsite-filter-snort3.rules" \
"../public/vn-badsite-filter-suricata.rules" \
"../public/vn-badsite-filter-splunk.csv"
SID="500000001"
while read DOMAIN; do
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
export CURRENT_TIME
cat "domains.txt" | node "../src/ids.js"
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\""
echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv"
SID=$(( $SID + 1 ))
done < "domains.txt"
set -x
sed -i "1i $COMMENT" "../public/vn-badsite-filter-snort2.rules"
sed -i "1s/Blocklist/Snort2 Ruleset/" "../public/vn-badsite-filter-snort2.rules"