Project

General

Profile

Actions
Copy link

Feature #2784

closed
PM JI

rules index update - ssl blacklists

Feature #2784: rules index update - ssl blacklists

Added by Peter Manev about 7 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
-
Effort:
Difficulty:
Label:

Description

Currently the ruleset index located here - https://www.openinfosecfoundation.org/rules/index.yaml

Has the following for SSL blacklist download link - https://sslbl.abuse.ch/blacklist/sslblacklist.rules
However those rules are for Suricata versions 1.4+ ...3.0/4.0

For rules that are Suricata 4.1.0+ compatible the link is this one - https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Related issues 1 (0 open1 closed)

Related to Suricata-Update - Optimization #3372: Suricata update downloads future versionsClosedShivani BhardwajActions

JI Updated by Jason Ish about 7 years ago Actions
Copy link
 #1

I'm wondering how we should handle this. Rule sources like ET use the version as part of the URL, here they are not so I wonder if we need to add a separate rule source, for example we have:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules

We can't change the name of it. That will break setups that have this ruleset enabled. So what do we name the new one:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist-41+:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
    min-version: 4.1.0

Or do we get complex and do something like:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    versions:
      - version: "< 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
      - version: ">= 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Thoughts? The final version being more complex and requiring an update to suricata-update.

PM Updated by Peter Manev about 7 years ago Actions
Copy link
 #2

I like the suggestion but personally would vote for the simplest one - "min version".

PM Updated by Peter Manev about 7 years ago Actions
Copy link
 #3

FYI
There is also URL blacklist rules for Suricata (freshly released i think) -

https://urlhaus.abuse.ch/api/#retrieve
the rulese file itself - https://urlhaus.abuse.ch/downloads/ids/

VJ Updated by Victor Julien about 7 years ago Actions
Copy link
 #4

  • Project changed from Suricata to Suricata-Update

AH Updated by Andreas Herz almost 7 years ago Actions
Copy link
 #5

  • Assignee set to Jason Ish

SB Updated by Shivani Bhardwaj over 6 years ago Actions
Copy link
 #6

JI Updated by Jason Ish 9 months ago Actions
Copy link
 #7

  • Status changed from New to Closed

Closing. Many updates to the index have been made with respect to abuse.ch rulessets since this ticket.

Actions
Copy link

Also available in: PDF Atom