sagan_crafter 0.4.0 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f1d7bb24c4114f2d7c6d33e69d7408d1eeb77a07
4
- data.tar.gz: 58ab491faa2df6568dbe94a1953e37af47d39311
3
+ metadata.gz: 9a6a885c8498aa709e3860447e87a51dd13f9fcf
4
+ data.tar.gz: d1e5abd0599750dd1e49a8246fe16db510b49ba8
5
5
  SHA512:
6
- metadata.gz: a72b348e2adf6bd76c338916b977079c4a8acb2275918771bf0f86a98b7b9a91d1fb8ee819ae2545b85c1d57dd149a380524f585efd904a929941e3475b77bb6
7
- data.tar.gz: 56ff929ce63782ad216b8bff3c134709fb2c4650833edf0bf0aa605e0009e221c9968bdce63f40d43f53e3c2aa32020a2d91d3920ae5a09bd8c7e3c7a8b4fe81
6
+ metadata.gz: 3701c3c2dd135a35beec646288b10e2e1e28f1877eeebb2f0dd3716a7424a8e3df52f1fbba3281b91739f964a2227cc90efeedea7eb160fbbd0a20e811609763
7
+ data.tar.gz: a7c850947bb1129c73f6549557e8976e9b62f25ffd1d795805244d32440b5989f7e37bc0a6099005bab944994ca1bb869b1a60ece4f636f1b6a9341ea188681e
data/.travis.yml CHANGED
@@ -1,4 +1,12 @@
1
+ sudo: false
1
2
  language: ruby
2
3
  rvm:
3
- - 2.2.3
4
+ - 2.2.5
5
+ - 2.3.1
6
+ - ruby-head
7
+ matrix:
8
+ allow_failures:
9
+ - ruby-head
10
+ cache: bundler
4
11
  before_install: gem install bundler -v 1.11.2
12
+ script: bundle exec rake spec
data/README.md CHANGED
@@ -2,13 +2,20 @@
2
2
 
3
3
  Sagan Crafter is designed to help build SAGAN rules from simple backends.
4
4
 
5
+ ## Code Status
6
+
7
+ [![Build Status](https://travis-ci.org/shadowbq/threatinator-amqp-rcvr.svg?branch=master)](https://travis-ci.org/shadowbq/threatinator-amqp-rcvr)
8
+ [![Gem Version](https://badge.fury.io/rb/threatinator-amqp-rcvr.png)](http://badge.fury.io/rb/threatinator-amqp-rcvr)
9
+ [![Tags](https://img.shields.io/github/tag/shadowbq/threatinator-amqp-rcvr.svg)](https://github.com/shadowbq/threatinator-amqp-rcvr/releases)
10
+
11
+ ## Example Sagan Rules created
12
+
5
13
  ```
6
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - tscl.com.bd"; content:"tscl.com.bd"; normalize:tightstack; sid:1635309608; program:tightstack; rev:2;)
7
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - uclmfocus.com"; content:"uclmfocus.com"; normalize:tightstack; sid:1042387290; program:tightstack; rev:2;)
8
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - upstreams.info"; content:"upstreams.info"; normalize:tightstack; sid:1757176352; program:tightstack; rev:1;)
9
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - vibaavaacademy.com"; content:"vibaavaacademy.com"; normalize:tightstack; sid:1270011767; program:tightstack; rev:1;)
10
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - www.cpteducation.it"; content:"www.cpteducation.it"; normalize:tightstack; sid:1499466929; program:tightstack; rev:1;)
11
- alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - www.itidea.it"; content:"www.itidea.it"; normalize:tightstack; sid:1352812295; program:tightstack; rev:2;)
14
+ alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - adobedownloadupdate.com"; content:"adobedownloadupdate.com"; sid:1475620452; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 9304759977013689372;)
15
+ alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - ahrenhei.without-transfer.ru"; content:"ahrenhei.without-transfer.ru"; sid:1155553526; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7909456445805000225;)
16
+ alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - atvracing.ru"; content:"atvracing.ru"; sid:1115626887; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7986141927809670135;)
17
+ alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benchmarkemailsite.com"; content:"benchmarkemailsite.com"; sid:1035073116; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 4156062036502574446;)
18
+ alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benveaskim.com"; content:"benveaskim.com"; sid:1218006184; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 801405033058849559;)
12
19
  ```
13
20
 
14
21
  ## Simple Backends:
@@ -50,6 +57,17 @@ Options::
50
57
  -h, --help Display this screen
51
58
 
52
59
  ```
60
+ ## XXHash
61
+
62
+ XXhash is used to create a reference number from the content matcher. The 64 bit hash is attached as a reference if there is a collision in the sid generation. SID numbers use a weak algorithm that can easily lead to collisions. xxhash used to strictly identify the content of the SAGAN rules.
63
+
64
+ SIDs are calculated using:
65
+
66
+ ```ruby
67
+ XXhash.xxh32(ioc) % 1000000000 + 1000000000,
68
+ ```
69
+
70
+ Reference: https://github.com/Cyan4973/xxHash
53
71
 
54
72
  ## Development
55
73
 
data/lib/sagan_crafter.rb CHANGED
@@ -3,7 +3,7 @@ require "sagan_crafter/version"
3
3
  require 'snort/rule'
4
4
  require 'sqlite3'
5
5
  require 'xxhash'
6
- require 'pry'
6
+ #require 'pry'
7
7
 
8
8
  module SaganCrafter
9
9
  $:.unshift(File.dirname(__FILE__))
@@ -15,6 +15,4 @@ module SaganCrafter
15
15
  require "sagan_crafter/ruleset"
16
16
  require "sagan_crafter/backends/sqlite"
17
17
  require "sagan_crafter/factorize"
18
- #require "sagan_crafter/factory/fqdnlogger"
19
- #require "sagan_crafter/factory/iplogger"
20
18
  end
@@ -1,3 +1,3 @@
1
1
  module SaganCrafter
2
- VERSION = "0.4.0"
2
+ VERSION = "0.4.1"
3
3
  end
@@ -22,10 +22,10 @@ Gem::Specification.new do |spec|
22
22
  spec.add_development_dependency "bundler", "~> 1.11"
23
23
  spec.add_development_dependency "rake", "~> 10.0"
24
24
  spec.add_development_dependency "rspec", "~> 3.0"
25
- spec.add_development_dependency "bump"
25
+ spec.add_development_dependency "bump", "~> 0.5"
26
26
 
27
27
  spec.add_dependency "snort-rule", "~> 1.5"
28
- spec.add_dependency "sqlite3"
29
- spec.add_dependency "xxhash"
30
- spec.add_dependency "pry"
28
+ spec.add_dependency "sqlite3", "~> 1.3"
29
+ spec.add_dependency "xxhash", "~> 0.3"
30
+ #spec.add_dependency "pry"
31
31
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sagan_crafter
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - shadowbq
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-10-31 00:00:00.000000000 Z
11
+ date: 2016-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -56,16 +56,16 @@ dependencies:
56
56
  name: bump
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
- - - ">="
59
+ - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '0'
61
+ version: '0.5'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
- - - ">="
66
+ - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '0'
68
+ version: '0.5'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: snort-rule
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -84,44 +84,30 @@ dependencies:
84
84
  name: sqlite3
85
85
  requirement: !ruby/object:Gem::Requirement
86
86
  requirements:
87
- - - ">="
87
+ - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '0'
89
+ version: '1.3'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
- - - ">="
94
+ - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '0'
96
+ version: '1.3'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: xxhash
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - ">="
102
- - !ruby/object:Gem::Version
103
- version: '0'
104
- type: :runtime
105
- prerelease: false
106
- version_requirements: !ruby/object:Gem::Requirement
107
- requirements:
108
- - - ">="
109
- - !ruby/object:Gem::Version
110
- version: '0'
111
- - !ruby/object:Gem::Dependency
112
- name: pry
113
- requirement: !ruby/object:Gem::Requirement
114
- requirements:
115
- - - ">="
101
+ - - "~>"
116
102
  - !ruby/object:Gem::Version
117
- version: '0'
103
+ version: '0.3'
118
104
  type: :runtime
119
105
  prerelease: false
120
106
  version_requirements: !ruby/object:Gem::Requirement
121
107
  requirements:
122
- - - ">="
108
+ - - "~>"
123
109
  - !ruby/object:Gem::Version
124
- version: '0'
110
+ version: '0.3'
125
111
  description: Write a longer description or delete this line.
126
112
  email:
127
113
  - shadowbq@gmail.com