Re: [W3af-develop] Snort rules to detect malware
Hi Andres, I think no problem as long as the ruleset is open source. So when we will make it happen ? Regards Andri On 6 Okt 2013, at 18.58, Andres Riancho andres.rian...@gmail.com wrote: Maybe the focus should be moved away from the detection engines (snort, suricata) and into the rules provider(s)? http://www.emergingthreats.net/open-source/ On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho andres.rian...@gmail.com wrote: Andri, Good question, actually I didn't even consider Suricata because I was unaware of it's existance :( So, after reading the suricata website for some minutes it seems that their rule format is *very similar* (the same?) as the one from snort, which could make things easier if we want to support both. When it comes to what we want to do, the only thing that matters is quality (re: false positives) and quantity of the rules to detect web malware. Do you know if there is a comparison between suricata and snort rulesets? Regards, On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti vynx_1...@yahoo.com wrote: Hi Andres, how if use Suricata than Snort ? here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata Regards, Andri From: Andres Riancho andres.rian...@gmail.com To: w3af-us...@lists.sourceforge.net w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net W3af-develop@lists.sourceforge.net Sent: Sunday, October 6, 2013 3:38 AM Subject: [W3af-develop] Snort rules to detect malware Guys, We already have a clamav plugin that will identify if an http response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus or not. The other day I was thinking about how to improve this and came up with the idea of using snort rules to detect malware [0] The idea is rather simple: * Crawl the site (we already do that) * Parse snort rules into regular expressions * Create a grep plugin that will apply those regular expressions to each HTTP response body * If a match is found, then report it to the knowledge base What do you guys think about the idea? Anyone with snort experience to weight in with some facts on how many false positives are found by rules like these? Anyone knows about the licensing for the rules? Can we include them into our repository? [0] https://github.com/andresriancho/w3af/issues/671 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Snort rules to detect malware
Andri, On Mon, Oct 7, 2013 at 9:54 PM, Andri Herumurti vynx_1...@yahoo.com wrote: Hi Andres, I think no problem as long as the ruleset is open source. So when we will make it happen ? For now it's just an idea, I don't have a plan to implement it. I also want to collect more information on which ruleset is the best one to use. Sent an email to the snort and suricata mailing lists to ask some questions Regards Andri On 6 Okt 2013, at 18.58, Andres Riancho andres.rian...@gmail.com wrote: Maybe the focus should be moved away from the detection engines (snort, suricata) and into the rules provider(s)? http://www.emergingthreats.net/open-source/ On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho andres.rian...@gmail.com wrote: Andri, Good question, actually I didn't even consider Suricata because I was unaware of it's existance :( So, after reading the suricata website for some minutes it seems that their rule format is *very similar* (the same?) as the one from snort, which could make things easier if we want to support both. When it comes to what we want to do, the only thing that matters is quality (re: false positives) and quantity of the rules to detect web malware. Do you know if there is a comparison between suricata and snort rulesets? Regards, On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti vynx_1...@yahoo.com wrote: Hi Andres, how if use Suricata than Snort ? here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata Regards, Andri From: Andres Riancho andres.rian...@gmail.com To: w3af-us...@lists.sourceforge.net w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net W3af-develop@lists.sourceforge.net Sent: Sunday, October 6, 2013 3:38 AM Subject: [W3af-develop] Snort rules to detect malware Guys, We already have a clamav plugin that will identify if an http response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus or not. The other day I was thinking about how to improve this and came up with the idea of using snort rules to detect malware [0] The idea is rather simple: * Crawl the site (we already do that) * Parse snort rules into regular expressions * Create a grep plugin that will apply those regular expressions to each HTTP response body * If a match is found, then report it to the knowledge base What do you guys think about the idea? Anyone with snort experience to weight in with some facts on how many false positives are found by rules like these? Anyone knows about the licensing for the rules? Can we include them into our repository? [0] https://github.com/andresriancho/w3af/issues/671 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Snort rules to detect malware
Andri, Good question, actually I didn't even consider Suricata because I was unaware of it's existance :( So, after reading the suricata website for some minutes it seems that their rule format is *very similar* (the same?) as the one from snort, which could make things easier if we want to support both. When it comes to what we want to do, the only thing that matters is quality (re: false positives) and quantity of the rules to detect web malware. Do you know if there is a comparison between suricata and snort rulesets? Regards, On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti vynx_1...@yahoo.com wrote: Hi Andres, how if use Suricata than Snort ? here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata Regards, Andri From: Andres Riancho andres.rian...@gmail.com To: w3af-us...@lists.sourceforge.net w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net W3af-develop@lists.sourceforge.net Sent: Sunday, October 6, 2013 3:38 AM Subject: [W3af-develop] Snort rules to detect malware Guys, We already have a clamav plugin that will identify if an http response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus or not. The other day I was thinking about how to improve this and came up with the idea of using snort rules to detect malware [0] The idea is rather simple: * Crawl the site (we already do that) * Parse snort rules into regular expressions * Create a grep plugin that will apply those regular expressions to each HTTP response body * If a match is found, then report it to the knowledge base What do you guys think about the idea? Anyone with snort experience to weight in with some facts on how many false positives are found by rules like these? Anyone knows about the licensing for the rules? Can we include them into our repository? [0] https://github.com/andresriancho/w3af/issues/671 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Snort rules to detect malware
Hi Andres, how if use Suricata than Snort ? here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata Regards, Andri From: Andres Riancho andres.rian...@gmail.com To: w3af-us...@lists.sourceforge.net w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net W3af-develop@lists.sourceforge.net Sent: Sunday, October 6, 2013 3:38 AM Subject: [W3af-develop] Snort rules to detect malware Guys, We already have a clamav plugin that will identify if an http response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus or not. The other day I was thinking about how to improve this and came up with the idea of using snort rules to detect malware [0] The idea is rather simple: * Crawl the site (we already do that) * Parse snort rules into regular expressions * Create a grep plugin that will apply those regular expressions to each HTTP response body * If a match is found, then report it to the knowledge base What do you guys think about the idea? Anyone with snort experience to weight in with some facts on how many false positives are found by rules like these? Anyone knows about the licensing for the rules? Can we include them into our repository? [0] https://github.com/andresriancho/w3af/issues/671 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop-- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop