Re: [W3af-develop] Snort rules to detect malware
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Snort rules to detect malware
|
From: Andres R. <and...@gm...> - 2013-10-06 11:59:16
|
Maybe the focus should be moved away from the detection engines (snort, suricata) and into the rules provider(s)? http://www.emergingthreats.net/open-source/ On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <and...@gm...> wrote: > Andri, > > Good question, actually I didn't even consider Suricata because I > was unaware of it's existance :( So, after reading the suricata > website for some minutes it seems that their rule format is *very > similar* (the same?) as the one from snort, which could make things > easier if we want to support both. > > When it comes to what we want to do, the only thing that matters > is quality (re: false positives) and quantity of the rules to detect > web malware. Do you know if there is a comparison between suricata and > snort rulesets? > > Regards, > > On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <vyn...@ya...> wrote: >> Hi Andres, >> >> how if use Suricata than Snort ? >> here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata >> >> Regards, >> Andri >> >> >> ________________________________ >> From: Andres Riancho <and...@gm...> >> To: "w3a...@li..." <w3a...@li...>; >> "w3a...@li..." <W3a...@li...> >> Sent: Sunday, October 6, 2013 3:38 AM >> Subject: [W3af-develop] Snort rules to detect malware >> >> Guys, >> >> We already have a clamav plugin that will identify if an http >> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus >> or not. The other day I was thinking about how to improve this and >> came up with the idea of using snort rules to detect malware [0] >> >> The idea is rather simple: >> * Crawl the site (we already do that) >> * Parse snort rules into regular expressions >> * Create a grep plugin that will apply those regular >> expressions to each HTTP response body >> * If a match is found, then report it to the knowledge base >> >> What do you guys think about the idea? Anyone with snort >> experience to weight in with some facts on how many false positives >> are found by rules like these? Anyone knows about the licensing for >> the rules? Can we include them into our repository? >> >> [0] https://github.com/andresriancho/w3af/issues/671 >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
