Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integrate nsacyber/ELITEWOLF signatures into default rule set #275

Closed
mmguero opened this issue Oct 23, 2023 · 2 comments
Closed

integrate nsacyber/ELITEWOLF signatures into default rule set #275

mmguero opened this issue Oct 23, 2023 · 2 comments
Assignees
@mmguero @IdahoManny
Labels
enhancement New feature or request external Depends on a bug or feature external to this project ics Relating to ICS (Industrial Control Systems) devices suricata Relating to Malcolm's use of Suricata
Milestone
v23.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Oct 23, 2023

NSA cyber's ELITEWOLF project releases some OT-focused Snort rules. I'd like to:
@mmguero mmguero added enhancement New feature or request external Depends on a bug or feature external to this project ics Relating to ICS (Industrial Control Systems) devices suricata Relating to Malcolm's use of Suricata labels Oct 23, 2023
@mmguero mmguero added this to Malcolm Oct 23, 2023
@mmguero mmguero moved this to Todo (investigate) in Malcolm Oct 23, 2023
@mmguero mmguero moved this from Todo (investigate) to In Progress in Malcolm Nov 9, 2023
@mmguero mmguero added this to the v23.11.0 milestone Nov 9, 2023
@IdahoManny
Copy link

Converted and Tested Snort to Suricata

Suricata does have compatibility with snort rules. The files below were taken from the repository and tested with Suricata. Change file names from .txt to .rules file and place in /etc/suricata/rules/path. Sample log file is also attached. Test of rules were conducted with netcat.

Tested-ELITEWOLF_SNORT_AllenBradley_RockwellAutomation.txt
Tested-ELITEWOLF_SNORT_SchweitzerEngineeringLaboratories.txt
Tested-ELITEWOLF_SNORT_Siemens.txt
logs.txt

@mmguero mmguero assigned mmguero and IdahoManny and unassigned mmguero Nov 13, 2023
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Nov 13, 2023
@mmguero
idaholab#275, integrate suricata version of nsacyber ELITEWOLF rules
baebc49
@mmguero mmguero moved this from In Progress to Testing in Malcolm Nov 13, 2023
@mmguero mmguero added the CISA label Nov 13, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 14, 2023

see mmguero-dev/Malcolm@baebc49

suricata container build logs indicating that the rules have been included:

...
11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/stream-events.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/tls-events.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/AllenBradley_RockwellAutomation.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/SchweitzerEngineeringLaboratories.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/Siemens.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/app-layer-events.rules
...
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/tls-events.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/AllenBradley_RockwellAutomation.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/SchweitzerEngineeringLaboratories.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading local file /etc/suricata/rules/Siemens.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
...
#11 40.26 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/AllenBradley_RockwellAutomation.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/AllenBradley_RockwellAutomation.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/SchweitzerEngineeringLaboratories.rules
#11 40.26 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/SchweitzerEngineeringLaboratories.rules
#11 40.27 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/Siemens.rules
#11 40.27 14/11/2023 -- 15:49:34 - <Debug> -- Parsing /etc/suricata/rules/Siemens.rules
...

From what I can tell they are in place and loaded correctly. I don't have PCAPs to verify but suricata confirms the rules are there.

@mmguero mmguero moved this from Testing to Done in Malcolm Nov 14, 2023
@mmguero mmguero closed this as completed Nov 14, 2023
This was referenced Dec 4, 2023
Merged
Merged
@mmguero mmguero moved this from Done to Released in Malcolm Dec 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

@IdahoManny IdahoManny

Labels
enhancement New feature or request external Depends on a bug or feature external to this project ics Relating to ICS (Industrial Control Systems) devices suricata Relating to Malcolm's use of Suricata
Projects
Malcolm
Status: Released
Milestone
v23.12.0
Development

No branches or pull requests
2 participants
@mmguero @IdahoManny