Re: [W3af-develop] Snort rules to detect malware
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Snort rules to detect malware
|
From: Andres R. <and...@gm...> - 2013-10-08 01:11:33
|
Andri, On Mon, Oct 7, 2013 at 9:54 PM, Andri Herumurti <vyn...@ya...> wrote: > Hi Andres, > > I think no problem as long as the ruleset is open source. > > So when we will make it happen ? For now it's just an idea, I don't have a plan to implement it. I also want to collect more information on which ruleset is the best one to use. Sent an email to the snort and suricata mailing lists to ask some questions > Regards > Andri > >> On 6 Okt 2013, at 18.58, Andres Riancho <and...@gm...> wrote: >> >> Maybe the focus should be moved away from the detection engines >> (snort, suricata) and into the rules provider(s)? >> >> http://www.emergingthreats.net/open-source/ >> >>> On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <and...@gm...> wrote: >>> Andri, >>> >>> Good question, actually I didn't even consider Suricata because I >>> was unaware of it's existance :( So, after reading the suricata >>> website for some minutes it seems that their rule format is *very >>> similar* (the same?) as the one from snort, which could make things >>> easier if we want to support both. >>> >>> When it comes to what we want to do, the only thing that matters >>> is quality (re: false positives) and quantity of the rules to detect >>> web malware. Do you know if there is a comparison between suricata and >>> snort rulesets? >>> >>> Regards, >>> >>>> On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <vyn...@ya...> wrote: >>>> Hi Andres, >>>> >>>> how if use Suricata than Snort ? >>>> here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata >>>> >>>> Regards, >>>> Andri >>>> >>>> >>>> ________________________________ >>>> From: Andres Riancho <and...@gm...> >>>> To: "w3a...@li..." <w3a...@li...>; >>>> "w3a...@li..." <W3a...@li...> >>>> Sent: Sunday, October 6, 2013 3:38 AM >>>> Subject: [W3af-develop] Snort rules to detect malware >>>> >>>> Guys, >>>> >>>> We already have a clamav plugin that will identify if an http >>>> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus >>>> or not. The other day I was thinking about how to improve this and >>>> came up with the idea of using snort rules to detect malware [0] >>>> >>>> The idea is rather simple: >>>> * Crawl the site (we already do that) >>>> * Parse snort rules into regular expressions >>>> * Create a grep plugin that will apply those regular >>>> expressions to each HTTP response body >>>> * If a match is found, then report it to the knowledge base >>>> >>>> What do you guys think about the idea? Anyone with snort >>>> experience to weight in with some facts on how many false positives >>>> are found by rules like these? Anyone knows about the licensing for >>>> the rules? Can we include them into our repository? >>>> >>>> [0] https://github.com/andresriancho/w3af/issues/671 >>>> >>>> Regards, >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>>> from >>>> the latest Intel processors and coprocessors. See abstracts and register > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> W3af-develop mailing list >>>> W3a...@li... >>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
