Project

General

Profile

Feature #2784

rules index update - ssl blacklists

Added by Peter Manev 29 days ago. Updated 20 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:

Description

Currently the ruleset index located here - https://www.openinfosecfoundation.org/rules/index.yaml

Has the following for SSL blacklist download link - https://sslbl.abuse.ch/blacklist/sslblacklist.rules
However those rules are for Suricata versions 1.4+ ...3.0/4.0

For rules that are Suricata 4.1.0+ compatible the link is this one - https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

History

#1

Updated by Jason Ish 28 days ago

I'm wondering how we should handle this. Rule sources like ET use the version as part of the URL, here they are not so I wonder if we need to add a separate rule source, for example we have:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules

We can't change the name of it. That will break setups that have this ruleset enabled. So what do we name the new one:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist-41+:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
    min-version: 4.1.0

Or do we get complex and do something like:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    versions:
      - version: "< 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
      - version: ">= 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Thoughts? The final version being more complex and requiring an update to suricata-update.

#2

Updated by Peter Manev 24 days ago

I like the suggestion but personally would vote for the simplest one - "min version".

#3

Updated by Peter Manev 20 days ago

FYI
There is also URL blacklist rules for Suricata (freshly released i think) -

https://urlhaus.abuse.ch/api/#retrieve
the rulese file itself - https://urlhaus.abuse.ch/downloads/ids/

Also available in: Atom PDF