Project

General

Profile

Feature #2784

rules index update - ssl blacklists

Added by Peter Manev 7 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
Effort:
Difficulty:
Label:

Description

Currently the ruleset index located here - https://www.openinfosecfoundation.org/rules/index.yaml

Has the following for SSL blacklist download link - https://sslbl.abuse.ch/blacklist/sslblacklist.rules
However those rules are for Suricata versions 1.4+ ...3.0/4.0

For rules that are Suricata 4.1.0+ compatible the link is this one - https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

History

#1

Updated by Jason Ish 7 months ago

I'm wondering how we should handle this. Rule sources like ET use the version as part of the URL, here they are not so I wonder if we need to add a separate rule source, for example we have:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules

We can't change the name of it. That will break setups that have this ruleset enabled. So what do we name the new one:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist-41+:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
    min-version: 4.1.0

Or do we get complex and do something like:

  # SSBL FP blacklist ruleset.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    vendor: Abuse.ch
    license: Non-Commercial
    versions:
      - version: "< 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
      - version: ">= 4.1.0" 
        url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

Thoughts? The final version being more complex and requiring an update to suricata-update.

#2

Updated by Peter Manev 7 months ago

I like the suggestion but personally would vote for the simplest one - "min version".

#3

Updated by Peter Manev 7 months ago

FYI
There is also URL blacklist rules for Suricata (freshly released i think) -

https://urlhaus.abuse.ch/api/#retrieve
the rulese file itself - https://urlhaus.abuse.ch/downloads/ids/

#4

Updated by Victor Julien 5 months ago

  • Project changed from Suricata to Suricata-Update
#5

Updated by Andreas Herz 3 months ago

  • Assignee set to Jason Ish

Also available in: Atom PDF