From 6815b90e1488a768e9c5328f4409157acfe26c7d Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Mon, 17 Mar 2025 12:00:35 +0000 Subject: [PATCH] perf: rewrite IDS rule creation in javascript "while do" can be inefficient previously took 1.8s is now 0.2s --- src/ids.js | 35 +++++++++++++++++++++++++++++++++++ src/script.sh | 23 ++--------------------- 2 files changed, 37 insertions(+), 21 deletions(-) create mode 100644 src/ids.js diff --git a/src/ids.js b/src/ids.js new file mode 100644 index 0000000..c57b537 --- /dev/null +++ b/src/ids.js @@ -0,0 +1,35 @@ +import { createInterface } from 'node:readline' +import { createWriteStream } from 'node:fs' + +const snort2 = createWriteStream('../public/vn-badsite-filter-snort2.rules', { + encoding: 'utf8', + flags: 'a' +}) +const snort3 = createWriteStream('../public/vn-badsite-filter-snort3.rules', { + encoding: 'utf8', + flags: 'a' +}) +const suricata = createWriteStream('../public/vn-badsite-filter-suricata.rules', { + encoding: 'utf8', + flags: 'a' +}) +const splunk = createWriteStream('../public/vn-badsite-filter-splunk.csv', { + encoding: 'utf8', + flags: 'a' +}) + +let sid = 500000001 + +for await (const domain of createInterface({ input: process.stdin })) { + snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"vn-badsite-filter malicious website detected"; flow:established,from_client; content:"GET"; http_method; content:"${domain}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`) + snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"vn-badsite-filter malicious website detected"; http_header:field host; content:"${domain}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`) + suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"vn-badsite-filter malicious website detected"; flow:established,from_client; http.method; content:"GET"; http.host; content:"${domain}"; classtype:attempted-recon; sid:${sid} rev:1;)\n`) + splunk.write(`"$${domain}","","vn-badsite-filter malicious website detected","${process.env.CURRENT_TIME}"\n`) + + sid++ +} + +snort2.close() +snort3.close() +suricata.close() +splunk.close() diff --git a/src/script.sh b/src/script.sh index f92dfd4..e713c11 100644 --- a/src/script.sh +++ b/src/script.sh @@ -182,34 +182,15 @@ sed "1i $COMMENT_IE" | \ sed "2s/Domains Blocklist/Hosts Blocklist (IE)/" > "../public/vn-badsite-filter.tpl" -set +x - ## Snort & Suricata rulesets rm -f "../public/vn-badsite-filter-snort2.rules" \ "../public/vn-badsite-filter-snort3.rules" \ "../public/vn-badsite-filter-suricata.rules" \ "../public/vn-badsite-filter-splunk.csv" -SID="500000001" -while read DOMAIN; do - SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)" +export CURRENT_TIME +cat "domains.txt" | node "../src/ids.js" - SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)" - - SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)" - - SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\"" - - echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules" - echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules" - echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules" - echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv" - - SID=$(( $SID + 1 )) -done < "domains.txt" - - -set -x sed -i "1i $COMMENT" "../public/vn-badsite-filter-snort2.rules" sed -i "1s/Blocklist/Snort2 Ruleset/" "../public/vn-badsite-filter-snort2.rules"