sagan_crafter 0.4.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +9 -1
- data/README.md +24 -6
- data/lib/sagan_crafter.rb +1 -3
- data/lib/sagan_crafter/version.rb +1 -1
- data/sagan_crafter.gemspec +4 -4
- metadata +14 -28
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9a6a885c8498aa709e3860447e87a51dd13f9fcf
|
|
4
|
+
data.tar.gz: d1e5abd0599750dd1e49a8246fe16db510b49ba8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3701c3c2dd135a35beec646288b10e2e1e28f1877eeebb2f0dd3716a7424a8e3df52f1fbba3281b91739f964a2227cc90efeedea7eb160fbbd0a20e811609763
|
|
7
|
+
data.tar.gz: a7c850947bb1129c73f6549557e8976e9b62f25ffd1d795805244d32440b5989f7e37bc0a6099005bab944994ca1bb869b1a60ece4f636f1b6a9341ea188681e
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -2,13 +2,20 @@
|
|
|
2
2
|
|
|
3
3
|
Sagan Crafter is designed to help build SAGAN rules from simple backends.
|
|
4
4
|
|
|
5
|
+
## Code Status
|
|
6
|
+
|
|
7
|
+
[](https://travis-ci.org/shadowbq/threatinator-amqp-rcvr)
|
|
8
|
+
[](http://badge.fury.io/rb/threatinator-amqp-rcvr)
|
|
9
|
+
[](https://github.com/shadowbq/threatinator-amqp-rcvr/releases)
|
|
10
|
+
|
|
11
|
+
## Example Sagan Rules created
|
|
12
|
+
|
|
5
13
|
```
|
|
6
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
7
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
8
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
9
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
10
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation -
|
|
11
|
-
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - www.itidea.it"; content:"www.itidea.it"; normalize:tightstack; sid:1352812295; program:tightstack; rev:2;)
|
|
14
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - adobedownloadupdate.com"; content:"adobedownloadupdate.com"; sid:1475620452; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 9304759977013689372;)
|
|
15
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - ahrenhei.without-transfer.ru"; content:"ahrenhei.without-transfer.ru"; sid:1155553526; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7909456445805000225;)
|
|
16
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - atvracing.ru"; content:"atvracing.ru"; sid:1115626887; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 7986141927809670135;)
|
|
17
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benchmarkemailsite.com"; content:"benchmarkemailsite.com"; sid:1035073116; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 4156062036502574446;)
|
|
18
|
+
alert tcp $HOME_NET any <> any any (msg:"[PASSIVEDNS] vxvault url_reputation - benveaskim.com"; content:"benveaskim.com"; sid:1218006184; normalize:tightstack; program:tightstack; rev:1; metadata:time 1477926621, xxhash 801405033058849559;)
|
|
12
19
|
```
|
|
13
20
|
|
|
14
21
|
## Simple Backends:
|
|
@@ -50,6 +57,17 @@ Options::
|
|
|
50
57
|
-h, --help Display this screen
|
|
51
58
|
|
|
52
59
|
```
|
|
60
|
+
## XXHash
|
|
61
|
+
|
|
62
|
+
XXhash is used to create a reference number from the content matcher. The 64 bit hash is attached as a reference if there is a collision in the sid generation. SID numbers use a weak algorithm that can easily lead to collisions. xxhash used to strictly identify the content of the SAGAN rules.
|
|
63
|
+
|
|
64
|
+
SIDs are calculated using:
|
|
65
|
+
|
|
66
|
+
```ruby
|
|
67
|
+
XXhash.xxh32(ioc) % 1000000000 + 1000000000,
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
Reference: https://github.com/Cyan4973/xxHash
|
|
53
71
|
|
|
54
72
|
## Development
|
|
55
73
|
|
data/lib/sagan_crafter.rb
CHANGED
|
@@ -3,7 +3,7 @@ require "sagan_crafter/version"
|
|
|
3
3
|
require 'snort/rule'
|
|
4
4
|
require 'sqlite3'
|
|
5
5
|
require 'xxhash'
|
|
6
|
-
require 'pry'
|
|
6
|
+
#require 'pry'
|
|
7
7
|
|
|
8
8
|
module SaganCrafter
|
|
9
9
|
$:.unshift(File.dirname(__FILE__))
|
|
@@ -15,6 +15,4 @@ module SaganCrafter
|
|
|
15
15
|
require "sagan_crafter/ruleset"
|
|
16
16
|
require "sagan_crafter/backends/sqlite"
|
|
17
17
|
require "sagan_crafter/factorize"
|
|
18
|
-
#require "sagan_crafter/factory/fqdnlogger"
|
|
19
|
-
#require "sagan_crafter/factory/iplogger"
|
|
20
18
|
end
|
data/sagan_crafter.gemspec
CHANGED
|
@@ -22,10 +22,10 @@ Gem::Specification.new do |spec|
|
|
|
22
22
|
spec.add_development_dependency "bundler", "~> 1.11"
|
|
23
23
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
24
24
|
spec.add_development_dependency "rspec", "~> 3.0"
|
|
25
|
-
spec.add_development_dependency "bump"
|
|
25
|
+
spec.add_development_dependency "bump", "~> 0.5"
|
|
26
26
|
|
|
27
27
|
spec.add_dependency "snort-rule", "~> 1.5"
|
|
28
|
-
spec.add_dependency "sqlite3"
|
|
29
|
-
spec.add_dependency "xxhash"
|
|
30
|
-
spec.add_dependency "pry"
|
|
28
|
+
spec.add_dependency "sqlite3", "~> 1.3"
|
|
29
|
+
spec.add_dependency "xxhash", "~> 0.3"
|
|
30
|
+
#spec.add_dependency "pry"
|
|
31
31
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sagan_crafter
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- shadowbq
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-11-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -56,16 +56,16 @@ dependencies:
|
|
|
56
56
|
name: bump
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
|
-
- - "
|
|
59
|
+
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: '0'
|
|
61
|
+
version: '0.5'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
|
-
- - "
|
|
66
|
+
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: '0'
|
|
68
|
+
version: '0.5'
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: snort-rule
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -84,44 +84,30 @@ dependencies:
|
|
|
84
84
|
name: sqlite3
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
86
86
|
requirements:
|
|
87
|
-
- - "
|
|
87
|
+
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '
|
|
89
|
+
version: '1.3'
|
|
90
90
|
type: :runtime
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
|
-
- - "
|
|
94
|
+
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '
|
|
96
|
+
version: '1.3'
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: xxhash
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
|
100
100
|
requirements:
|
|
101
|
-
- - "
|
|
102
|
-
- !ruby/object:Gem::Version
|
|
103
|
-
version: '0'
|
|
104
|
-
type: :runtime
|
|
105
|
-
prerelease: false
|
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
-
requirements:
|
|
108
|
-
- - ">="
|
|
109
|
-
- !ruby/object:Gem::Version
|
|
110
|
-
version: '0'
|
|
111
|
-
- !ruby/object:Gem::Dependency
|
|
112
|
-
name: pry
|
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
|
114
|
-
requirements:
|
|
115
|
-
- - ">="
|
|
101
|
+
- - "~>"
|
|
116
102
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: '0'
|
|
103
|
+
version: '0.3'
|
|
118
104
|
type: :runtime
|
|
119
105
|
prerelease: false
|
|
120
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
107
|
requirements:
|
|
122
|
-
- - "
|
|
108
|
+
- - "~>"
|
|
123
109
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: '0'
|
|
110
|
+
version: '0.3'
|
|
125
111
|
description: Write a longer description or delete this line.
|
|
126
112
|
email:
|
|
127
113
|
- shadowbq@gmail.com
|