With this release, MalSilo introduces support for Suricata export (rules) covering DNS, TCP/UDP and HTTP protocols.
You will notice, especially for the DNS and URL rule sets, inconsistency - missing observables - with the master-feed.json export, this will be true in the following scenarios
- smtp domains, usually abused by e.g. AgentTesla but also by other stealers
- malware crafting urls based on execution environment artifacts, e.g. Ursnif
The new sources can be easily added to Suricata in few steps
$ suricata-update add-source
# <Info> -- Using data-directory /var/lib/suricata.
# <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
# <Info> -- Using /etc/suricata/rules for Suricata provided rules.
# <Info> -- Found Suricata version 5.0.2 at /usr/bin/suricata.
Name of source: malsilo-ip
URL: https://malsilo.gitlab.io/feeds/dumps/malsilo-ip.rules
# <Info> -- Creating directory /var/lib/suricata/update/sources
...
# the same goes for the other exports
...
$ suricata-updateAll enabled sources will be downloaded and merged in an unique file, in this case, under /var/lib/suricata/rules/suricata.rules
The new configuration and signatures can be tested with one switch
$ suricata -TFeedback, suggestions? Drop me a line @_raw_data_
Happy detection!
Update 2020.07.02
All signatures are now also available as a tar.gz bundle, if for any reasons you want to skip one of the rules category, you can just
$ suricata-update --ignore malsilo-dns.rules --ignore malsilo-ip.rules -v
...
...
# <Debug> -- Resolved source malsilo to URL
# https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz.
# <Info> -- Checking https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz.md5.
# <Debug> -- Setting HTTP User-Agent to Suricata-Update/1.1.2 (OS: Linux; .....
# <Debug> -- Local checksum=|359f2606aa2e7dcdc6b1ac5bda772ec6|;
# remote checksum=|58dd79f0c0dfc9ea0780b2d344f3155f|
# <Info> -- Fetching https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz.
# <Debug> -- Setting HTTP User-Agent to Suricata-Update/1.1.2 (OS: Linux; ....
# 100% - 2174/2174
# <Info> -- Done.
...
# <Info> -- Loading distribution rule file ...
# <Info> -- Ignoring file malsilo-dns.rules
# <Info> -- Ignoring file malsilo-ip.rules
# <Debug> -- Parsing ...
...
# <Debug> -- Parsing ...
# <Debug> -- Parsing malsilo-url.rules.
# <Info> -- Loaded 389 rules.and you are good to go!