Re: [W3af-develop] Snort rules to detect malware
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Snort rules to detect malware
|
From: Andri H. <vyn...@ya...> - 2013-10-08 00:55:05
|
Hi Andres, I think no problem as long as the ruleset is open source. So when we will make it happen ? Regards Andri > On 6 Okt 2013, at 18.58, Andres Riancho <and...@gm...> wrote: > > Maybe the focus should be moved away from the detection engines > (snort, suricata) and into the rules provider(s)? > > http://www.emergingthreats.net/open-source/ > >> On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <and...@gm...> wrote: >> Andri, >> >> Good question, actually I didn't even consider Suricata because I >> was unaware of it's existance :( So, after reading the suricata >> website for some minutes it seems that their rule format is *very >> similar* (the same?) as the one from snort, which could make things >> easier if we want to support both. >> >> When it comes to what we want to do, the only thing that matters >> is quality (re: false positives) and quantity of the rules to detect >> web malware. Do you know if there is a comparison between suricata and >> snort rulesets? >> >> Regards, >> >>> On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <vyn...@ya...> wrote: >>> Hi Andres, >>> >>> how if use Suricata than Snort ? >>> here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata >>> >>> Regards, >>> Andri >>> >>> >>> ________________________________ >>> From: Andres Riancho <and...@gm...> >>> To: "w3a...@li..." <w3a...@li...>; >>> "w3a...@li..." <W3a...@li...> >>> Sent: Sunday, October 6, 2013 3:38 AM >>> Subject: [W3af-develop] Snort rules to detect malware >>> >>> Guys, >>> >>> We already have a clamav plugin that will identify if an http >>> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus >>> or not. The other day I was thinking about how to improve this and >>> came up with the idea of using snort rules to detect malware [0] >>> >>> The idea is rather simple: >>> * Crawl the site (we already do that) >>> * Parse snort rules into regular expressions >>> * Create a grep plugin that will apply those regular >>> expressions to each HTTP response body >>> * If a match is found, then report it to the knowledge base >>> >>> What do you guys think about the idea? Anyone with snort >>> experience to weight in with some facts on how many false positives >>> are found by rules like these? Anyone knows about the licensing for >>> the rules? Can we include them into our repository? >>> >>> [0] https://github.com/andresriancho/w3af/issues/671 >>> >>> Regards, >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register > >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> W3af-develop mailing list >>> W3a...@li... >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
