alienvault-otx / otx-suricata Goto Github PK

The OTX Suricata Rule Generator can be used to create the rules and configuration for Suricata to alert on indicators from your OTX account.

Home Page: https://otx.alienvault.com

Python 100.00%

otx-suricata's Introduction

OTX Suricata Rule Generator

The OTX Suricata Rule Generator can be used to create the rules and configuration for Suricata to alert on indicators from your OTX account (otx.alienvault.com). This is done with the suricata IP Reputation and file extraction features. For every pulse your are subscribed to this will add the all the IPv4 indicators in every pulse to a generated IP reputation file. It will also create a suricata MD5 file for each pulse that has MD5 indicators, there will be a corresponding rule generated that corresponds with each of these files.

BETA NOTICE

This is under active development. It has been tested in our lab in scenarios to replicate realworld installs. However, Suricata is a complicated product with many configuration options. If you have anything other than a default configuration, please adapt the output of this tool as appropriate. As always feedback and improvements are welcome!

Usage

Install OTX API (https://github.com/AlienVault-Labs/OTX-Python-SDK)
Run python suricata.py to see usage

usage: suricata.py [-h] [--skip-iprep] [--skip-filemd5] [--key KEY] [--destination-directory DESTINATION_DIRECTORY]

optional arguments: -h, --help show this help message and exit --skip-iprep Do not generate IP Reputation files and rules --skip-filemd5 Do not generate file MD5 and rules --key KEY Your OTX API key (https://otx.alienvault.com/api) --destination-directory DESTINATION_DIRECTORY, -dd DESTINATION_DIRECTORY The destination directory for the generated file

Run python suricata.py --key <OTX KEY> to generate default IP Reputation and MD5 Rules
Follow instructions in output to integrate into your existing Suricata installation

otx-suricata's People

Contributors

Stargazers

Watchers

otx-suricata's Issues

Python3 Warning

When run with Python3 (v3.7.3) warnings output for unsupported lib versions...

/usr/lib/python3/dist-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.25.2) or chardet (3.0.4) doesn't match a supported version!

--destination-directory error

hello,

using c5b1b65 on ubuntu 14.04.4, I get the following error:

suricata.py: error: argument --destination-directory/-dd: can't open '/etc/suricata/rules/': [Errno 21] Is a directory: '/etc/suricata/rules/'

thank you.

Possibly failing with recently updated OTX API?

Traceback (most recent call last):
  File "/opt/otx-suricata/suricata.py", line 141, in <module>
    sclient.generate_rules(not args.skip_iprep, not args.skip_filemd5)
  File "/opt/otx-suricata/suricata.py", line 37, in generate_rules
    for pulse in self.client.getall_iter():
  File "/usr/local/lib/python2.7/dist-packages/OTXv2.py", line 287, in getall_iter
    json_data = self.get(next_page_url)
  File "/usr/local/lib/python2.7/dist-packages/OTXv2.py", line 83, in get
    data = response.read().decode('utf-8')
AttributeError: 'NoneType' object has no attribute 'read'

rules configuration error

rules configuration error after getting the rules we can't use them get error like below,

Suricata Version 6.0.3

22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'BRONZE UNION Cyberespionage Persists Despite Disclosures'";  filemd5:md5file/595f8a578737585d5df566c5.txt; reference: url, otx.alienvault.com/pulse/595f8a578737585d5df566c5; sid:414779; rev:1;)"
22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'BRONZE UNION Cyberespionage Persists Despite Disclosures'";  filemd5:md5file/595f8a578737585d5df566c5.txt; reference: url, otx.alienvault.com/pulse/595f8a578737585d5df566c5; sid:414779; rev:1;)" from file /var/lib/suricata/rules/otx_file_rules.rules at line 1753
22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'XData ransomware attacked users in Ukraine'";  filemd5:md5file/595613f3e7adef22e04aac28.txt; reference: url, otx.alienvault.com/pulse/595613f3e7adef22e04aac28; sid:418597; rev:1;)"

Duplicate SID

The suricata.py file generates same signatures with different filemd5 hashes for the same attack type. Any help here would be greatly appreciated. Thank you so much for providing this integration point!! It's very appreciated!

Unescaped Semi-colons

Semi-colons in a number of default OTX rules are not being escaped correctly...

#22/11/2018 -- 02:08:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Cross-Platform Adware'
#22/11/2018 -- 02:08:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Cross-Platform Adware; OSX/Pirrit";  filemd5:5707d68267db8c4b471bdacf.txt; reference: url, otx.alienvault.com/pulse/5707d68267db8c4b471bdacf; sid:415921; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8404
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse OilRig uses ISMDoor variant'
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse OilRig uses ISMDoor variant; Possibly Linked to Greenbug Threat Group";  filemd5:5979ed91a87db72373caeedb.txt; reference: url, otx.alienvault.com/pulse/5979ed91a87db72373caeedb; sid:416715; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25898
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse &#39'
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse &#39;Los Pollos Hermanos&#39; crypto ransomware using PowerShell Empire";  filemd5:555b6414b45ff5650e2e4e03.txt; reference: url, otx.alienvault.com/pulse/555b6414b45ff5650e2e4e03; sid:417984; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 28848
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Zcrypt Expands Reach as &#39'
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Zcrypt Expands Reach as &#39;Virus Ransomware&#39;";  filemd5:5758c4e8377bbb01340e895d.txt; reference: url, otx.alienvault.com/pulse/5758c4e8377bbb01340e895d; sid:415361; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 33699
#22/11/2018 -- 02:08:07 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse New &quot'
#22/11/2018 -- 02:08:07 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse New &quot;Bart&quot; Ransomware from Threat Actors Spreading Dridex and Locky";  filemd5:576da1ebf9467301352ce785.txt; reference: url, otx.alienvault.com/pulse/576da1ebf9467301352ce785; sid:412489; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 73956
#22/11/2018 -- 02:08:08 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Trickbot Implements Network Collector Module Leveraging CMD, WMI &amp'
#22/11/2018 -- 02:08:08 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Trickbot Implements Network Collector Module Leveraging CMD, WMI &amp; LDAP";  filemd5:5ac41c2acc63930ce439ce9e.txt; reference: url, otx.alienvault.com/pulse/5ac41c2acc63930ce439ce9e; sid:411456; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 82590

Running behind HTTPS-Proxy

Hello,

How can I run the script behind a HTTPS-Proxy?

Thanks in advance.

alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Inside the spyware campaign against Argentine troublemakers";  filemd5:55d79cc967db8c7bb8cb5a72.txt; reference: url, otx.alienvault.com/pulse/55d79cc967db8c7bb8cb5a72; sid:414932; rev:1;)
alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Macro Downloaders (Aga Dell)";  filemd5:58c69a109c4484412c9d2a3b.txt; reference: url, otx.alienvault.com/pulse/58c69a109c4484412c9d2a3b; sid:414932; rev:1;)