|
--[[ lua script : cryptxxx_urls.lua
|
|
purpose : to check the url is matched in blacklisted for CryptXXX Ransomware or not
|
|
rule : reject tcp any any -> any any (msg:"CryptXXX Ransomware blacklisted URL"; luajit:cryptxxx_urls.lua; priority:1; sid: 100000000000; rev:1;)
|
|
|
|
author : samiux (https://www.infosec-ninjas.com)
|
|
project : Almond Croissants
|
|
license : GPLv3
|
|
date : JUL 04, 2016
|
|
|
|
Remarks : (1) https protocol will not be processed.
|
|
(2) google safe-browsing blacklisted is also not processed
|
|
as it is blocked by firefox before suricata processing.
|
|
]]
|
|
|
|
-- this gets called during rule parsing
|
|
function init(args)
|
|
local needs = {}
|
|
needs["http.request_headers"] = tostring(true)
|
|
return needs
|
|
end
|
|
|
|
-- this is a matcher function
|
|
function match(args)
|
|
-- verbose mode - true or false
|
|
local verbose = false
|
|
|
|
-- read from file to global array
|
|
local url_file,err = io.open("/etc/suricata/rules/cryptxxx.url", "r");
|
|
local counter = 0
|
|
while err do
|
|
local url_file,err = io.open("/etc/suricata/rules/cryptxxx.url", "r");
|
|
counter = counter + 1
|
|
if counter == 3 then
|
|
url_file:close()
|
|
return 0
|
|
end
|
|
end
|
|
-- counter and array
|
|
local counter = 0
|
|
local arr = {}
|
|
for line in url_file:lines() do
|
|
table.insert (arr, line);
|
|
counter = counter + 1
|
|
end
|
|
url_file:close()
|
|
|
|
-- get host name
|
|
http_host = HttpGetRequestHost()
|
|
if http_host == nil then
|
|
http_host = ""
|
|
end
|
|
-- get uri
|
|
http_uri = HttpGetRequestUriNormalized()
|
|
if http_uri == nil then
|
|
http_uri = ""
|
|
end
|
|
-- construct url
|
|
local http_url = "http://" .. http_host .. http_uri
|
|
local http_host_uri = http_host .. http_uri
|
|
|
|
if #http_host_uri > 0 then
|
|
-- logging to log file
|
|
-- for all access
|
|
local access_file,err = io.open("/var/log/suricata/cryptxxx_urls.log", "a")
|
|
local counter = 0
|
|
while err do
|
|
local access_file,err = io.open("/var/log/suricata/cryptxxx_urls.log", "a")
|
|
counter = counter + 1
|
|
if counter == 3 then
|
|
access_file:close()
|
|
return 0
|
|
end
|
|
end
|
|
-- for alert only
|
|
local alert_file,err = io.open("/var/log/suricata/cryptxxx_urls_alert.log", "a")
|
|
local counter = 0
|
|
while err do
|
|
local alert_file,err = io.open("/var/log/suricata/cryptxxx_urls_alert.log", "a")
|
|
counter = counter + 1
|
|
if counter == 3 then
|
|
alert_file:close()
|
|
return 0
|
|
end
|
|
end
|
|
-- set counters
|
|
local last_index = 0
|
|
local last_value = ""
|
|
|
|
for index, value in ipairs(arr) do
|
|
-- if matched
|
|
if string.find(value, http_url) then
|
|
if verbose then
|
|
alert_file:write("********************************************\n")
|
|
alert_file:write("Counter : " .. counter .. " \n")
|
|
alert_file:write("Index : " .. index .. " \n")
|
|
end
|
|
alert_file:write(os.date("[%x - %X] [**]" .. " BAD URL Match - " .. http_url .. " <@> " .. value .. " \n"))
|
|
access_file:write(os.date("[%x - %X] [**]" .. " BAD URL Match " .. http_url .. " <@> " .. value .. " \n"))
|
|
if verbose then
|
|
alert_file:write("********************************************\n")
|
|
end
|
|
alert_file:flush()
|
|
alert_file:close()
|
|
access_file:flush()
|
|
access_file:close()
|
|
return 1
|
|
else
|
|
-- get the last values
|
|
last_index = index
|
|
last_value = value
|
|
end
|
|
end
|
|
if verbose then
|
|
access_file:write("****************************\n")
|
|
access_file:write("Counter : " .. counter .. " \n")
|
|
access_file:write("Last Index : " .. last_index .. " \n")
|
|
access_file:write(os.date("[%x - %X] Last Index : " .. last_value .. " \n"))
|
|
access_file:write(os.date("[%x - %X] Access URL : " .. http_url .. " - NOT Match \n"))
|
|
access_file:write("****************************\n")
|
|
end
|
|
access_file:write(os.date("[%x - %X] [--]" .. " URL NOT Match - " .. http_url .. " \n"))
|
|
access_file:flush()
|
|
access_file:close()
|
|
return 0
|
|
end
|
|
url_file:close()
|
|
alert_file:close()
|
|
access_file:close()
|
|
return 0
|
|
end
|
|
url_file:close()
|
|
alert_file:close()
|
|
access_file:close()
|
|
return 0
|
|
|