sagan_crafter 0.4.0 → 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +9 -1
- data/README.md +24 -6
- data/lib/sagan_crafter.rb +1 -3
- data/lib/sagan_crafter/version.rb +1 -1
- data/sagan_crafter.gemspec +4 -4
- metadata +14 -28
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9a6a885c8498aa709e3860447e87a51dd13f9fcf
|
|
4
|
+
data.tar.gz: d1e5abd0599750dd1e49a8246fe16db510b49ba8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3701c3c2dd135a35beec646288b10e2e1e28f1877eeebb2f0dd3716a7424a8e3df52f1fbba3281b91739f964a2227cc90efeedea7eb160fbbd0a20e811609763
|
|
7
|
+
data.tar.gz: a7c850947bb1129c73f6549557e8976e9b62f25ffd1d795805244d32440b5989f7e37bc0a6099005bab944994ca1bb869b1a60ece4f636f1b6a9341ea188681e
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -2,13 +2,20 @@
|
|
|
2
2
|
|
|
3
3
|
Sagan Crafter is designed to help build SAGAN rules from simple backends.
|
|
4
4
|
|
|
5
|
+
## Code Status
|
|
6
|
+
|
|
7
|
+
[](https://travis-ci.org/shadowbq/threatinator-amqp-rcvr)
|
|
8
|
+
[](http://badge.fury.io/rb/threatinator-amqp-rcvr)
|
|
9
|
+
[](https://github.com/shadowbq/threatinator-amqp-rcvr/releases)
|
|
10
|
+
|
|
11
|
+
## Example Sagan Rules created
|
|
12
|
+
|
|
5
13
|
```
|
|
6
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
7
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
8
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
9
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
10
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
11
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - www.itidea.it"; content:"www.itidea.it"; normalize:tightstack; sid:1352812295; program:tightstack; rev:2;)
|
|
14
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - adobedownloadupdate.com"; content:"adobedownloadupdate.com"; sid:1475620452; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 9304759977013689372;)
|
|
15
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - ahrenhei.without-transfer.ru"; content:"ahrenhei.without-transfer.ru"; sid:1155553526; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7909456445805000225;)
|
|
16
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - atvracing.ru"; content:"atvracing.ru"; sid:1115626887; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7986141927809670135;)
|
|
17
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benchmarkemailsite.com"; content:"benchmarkemailsite.com"; sid:1035073116; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 4156062036502574446;)
|
|
18
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benveaskim.com"; content:"benveaskim.com"; sid:1218006184; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 801405033058849559;)
|
|
12
19
|
```
|
|
13
20
|
|
|
14
21
|
## Simple Backends:
|
|
@@ -50,6 +57,17 @@ Options::
|
|
|
50
57
|
-h, --help Display this screen
|
|
51
58
|
|
|
52
59
|
```
|
|
60
|
+
## XXHash
|
|
61
|
+
|
|
62
|
+
XXhash is used to create a reference number from the content matcher. The 64 bit hash is attached as a reference if there is a collision in the sid generation. SID numbers use a weak algorithm that can easily lead to collisions. xxhash used to strictly identify the content of the SAGAN rules.
|
|
63
|
+
|
|
64
|
+
SIDs are calculated using:
|
|
65
|
+
|
|
66
|
+
```ruby
|
|
67
|
+
XXhash.xxh32(ioc) % 1000000000 + 1000000000,
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
Reference: https://github.com/Cyan4973/xxHash
|
|
53
71
|
|
|
54
72
|
## Development
|
|
55
73
|
|
data/lib/sagan_crafter.rb
CHANGED
|
@@ -3,7 +3,7 @@ require "sagan_crafter/version"
|
|
|
3
3
|
require 'snort/rule'
|
|
4
4
|
require 'sqlite3'
|
|
5
5
|
require 'xxhash'
|
|
6
|
-
require 'pry'
|
|
6
|
+
#require 'pry'
|
|
7
7
|
|
|
8
8
|
module SaganCrafter
|
|
9
9
|
$:.unshift(File.dirname(__FILE__))
|
|
@@ -15,6 +15,4 @@ module SaganCrafter
|
|
|
15
15
|
require "sagan_crafter/ruleset"
|
|
16
16
|
require "sagan_crafter/backends/sqlite"
|
|
17
17
|
require "sagan_crafter/factorize"
|
|
18
|
-
#require "sagan_crafter/factory/fqdnlogger"
|
|
19
|
-
#require "sagan_crafter/factory/iplogger"
|
|
20
18
|
end
|
data/sagan_crafter.gemspec
CHANGED
|
@@ -22,10 +22,10 @@ Gem::Specification.new do |spec|
|
|
|
22
22
|
spec.add_development_dependency "bundler", "~> 1.11"
|
|
23
23
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
24
24
|
spec.add_development_dependency "rspec", "~> 3.0"
|
|
25
|
-
spec.add_development_dependency "bump"
|
|
25
|
+
spec.add_development_dependency "bump", "~> 0.5"
|
|
26
26
|
|
|
27
27
|
spec.add_dependency "snort-rule", "~> 1.5"
|
|
28
|
-
spec.add_dependency "sqlite3"
|
|
29
|
-
spec.add_dependency "xxhash"
|
|
30
|
-
spec.add_dependency "pry"
|
|
28
|
+
spec.add_dependency "sqlite3", "~> 1.3"
|
|
29
|
+
spec.add_dependency "xxhash", "~> 0.3"
|
|
30
|
+
#spec.add_dependency "pry"
|
|
31
31
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sagan_crafter
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- shadowbq
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-11-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -56,16 +56,16 @@ dependencies:
|
|
|
56
56
|
name: bump
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
|
-
- - "
|
|
59
|
+
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: '0'
|
|
61
|
+
version: '0.5'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
|
-
- - "
|
|
66
|
+
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: '0'
|
|
68
|
+
version: '0.5'
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: snort-rule
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -84,44 +84,30 @@ dependencies:
|
|
|
84
84
|
name: sqlite3
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
86
86
|
requirements:
|
|
87
|
-
- - "
|
|
87
|
+
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '
|
|
89
|
+
version: '1.3'
|
|
90
90
|
type: :runtime
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
|
-
- - "
|
|
94
|
+
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '
|
|
96
|
+
version: '1.3'
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: xxhash
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
|
100
100
|
requirements:
|
|
101
|
-
- - "
|
|
102
|
-
- !ruby/object:Gem::Version
|
|
103
|
-
version: '0'
|
|
104
|
-
type: :runtime
|
|
105
|
-
prerelease: false
|
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
-
requirements:
|
|
108
|
-
- - ">="
|
|
109
|
-
- !ruby/object:Gem::Version
|
|
110
|
-
version: '0'
|
|
111
|
-
- !ruby/object:Gem::Dependency
|
|
112
|
-
name: pry
|
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
|
114
|
-
requirements:
|
|
115
|
-
- - ">="
|
|
101
|
+
- - "~>"
|
|
116
102
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: '0'
|
|
103
|
+
version: '0.3'
|
|
118
104
|
type: :runtime
|
|
119
105
|
prerelease: false
|
|
120
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
107
|
requirements:
|
|
122
|
-
- - "
|
|
108
|
+
- - "~>"
|
|
123
109
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: '0'
|
|
110
|
+
version: '0.3'
|
|
125
111
|
description: Write a longer description or delete this line.
|
|
126
112
|
email:
|
|
127
113
|
- shadowbq@gmail.com
|