Project

General

Profile

Actions
Copy link

Feature #2784

open

rules index update - ssl blacklists

Added by Peter Manev over 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Jason Ish
Target version:
-
Effort:
Difficulty:
Label:

Description

Currently the ruleset index located here - https://www.openinfosecfoundation.org/rules/index.yaml

Has the following for SSL blacklist download link - https://sslbl.abuse.ch/blacklist/sslblacklist.rules
However those rules are for Suricata versions 1.4+ ...3.0/4.0

For rules that are Suricata 4.1.0+ compatible the link is this one - https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Related issues 1 (0 open1 closed)

Related to Suricata-Update - Optimization #3372: Suricata update downloads future versionsClosedShivani BhardwajActions
Actions
Copy link
 #1

Updated by Jason Ish over 5 years ago

I'm wondering how we should handle this. Rule sources like ET use the version as part of the URL, here they are not so I wonder if we need to add a separate rule source, for example we have:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules

We can't change the name of it. That will break setups that have this ruleset enabled. So what do we name the new one:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist-41+:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
    min-version: 4.1.0

Or do we get complex and do something like:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    versions:
      - version: "< 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
      - version: ">= 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Thoughts? The final version being more complex and requiring an update to suricata-update.

Actions
Copy link
 #2

Updated by Peter Manev about 5 years ago

I like the suggestion but personally would vote for the simplest one - "min version".

Actions
Copy link
 #3

Updated by Peter Manev about 5 years ago

FYI
There is also URL blacklist rules for Suricata (freshly released i think) -

https://urlhaus.abuse.ch/api/#retrieve
the rulese file itself - https://urlhaus.abuse.ch/downloads/ids/

Actions
Copy link
 #4

Updated by Victor Julien about 5 years ago

  • Project changed from Suricata to Suricata-Update
Actions
Copy link
 #5

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Jason Ish
Actions
Copy link
 #6

Updated by Shivani Bhardwaj over 4 years ago

Actions
Copy link

Also available in: Atom PDF