Rule2Alert - The 5K Alert Run
The original goal for today's work on Rule2Alert was to attempt a 3000 rule hit using emerging-all.rules. Before, it averaged around 2.2k alerts; however, after a few minor modifications I was able to get 5439 alerts.
python r2a.py -f emerging-all.rules -e 1.1.1.1 -m 192.168.1.1 -w all.pcap -t
The changes made to rule2alert were minor, but made a huge impact on the amount of possible generated rules (at least with emerging-all.rules).
Changes
---------
Changed the RevRegex.py file, which attempts to flatten regular expressions in to matching content based text. When it finds pcre:"/something/U" it now returns a uricontent match instead of the previous return of content. This makes rule2alert able to generate almost 100% of all the User Agent rules that Emerging Threats has available.
Changed the handshake for to_client rules. Usually, when a rule has flow:established, the flow starts with the $HOME_NET address initiating the SYN packet. However, if the rule is $EXTERNAL_NET any -> $HOME_NET 80 and established,to_client for example, the external IP now initiates the SYN for the handshake.
Features
----------
My next plan after attempting to generate all of the rules in emerging-all is building in IDS evasion techniques. This will be able to further stress test the IDS's ability to detect possible evasion techniques with packets that are known to alert.
*The pcap generated by r2a in this example can be downloaded here
Comments
Trouble adding Conficker rules
Hi,
Ive started using r2a for a project im working on. Its Awesome, However running a test for some general conficker rules is creating all sorts of problems for me. I cant find a mailing list for the project to send the errors and details to. I would appreciate a contact email for correspondence.
Contact
You can email me at this email address: famousjs ]at[ malforge dot com