The OTX Suricata Rule Generator can be used to create the rules and configuration for Suricata to alert on indicators from your OTX account.
Home Page: https://otx.alienvault.com
rules configuration error after getting the rules we can't use them get error like below,
Suricata Version 6.0.3
22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'BRONZE UNION Cyberespionage Persists Despite Disclosures'"; filemd5:md5file/595f8a578737585d5df566c5.txt; reference: url, otx.alienvault.com/pulse/595f8a578737585d5df566c5; sid:414779; rev:1;)"
22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'BRONZE UNION Cyberespionage Persists Despite Disclosures'"; filemd5:md5file/595f8a578737585d5df566c5.txt; reference: url, otx.alienvault.com/pulse/595f8a578737585d5df566c5; sid:414779; rev:1;)" from file /var/lib/suricata/rules/otx_file_rules.rules at line 1753
22/8/2021 -- 06:17:19 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse b'XData ransomware attacked users in Ukraine'"; filemd5:md5file/595613f3e7adef22e04aac28.txt; reference: url, otx.alienvault.com/pulse/595613f3e7adef22e04aac28; sid:418597; rev:1;)"
hello,
using c5b1b65 on ubuntu 14.04.4, I get the following error:
suricata.py: error: argument --destination-directory/-dd: can't open '/etc/suricata/rules/': [Errno 21] Is a directory: '/etc/suricata/rules/'
thank you.
The script rather than inserting an entry into...
categories.txt
...overwrites the file, which is problematic when using repudiation sources besides OTX.
e.g.
alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Inside the spyware campaign against Argentine troublemakers"; filemd5:55d79cc967db8c7bb8cb5a72.txt; reference: url, otx.alienvault.com/pulse/55d79cc967db8c7bb8cb5a72; sid:414932; rev:1;)
alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Macro Downloaders (Aga Dell)"; filemd5:58c69a109c4484412c9d2a3b.txt; reference: url, otx.alienvault.com/pulse/58c69a109c4484412c9d2a3b; sid:414932; rev:1;)
OTXv2.py throws an exception from line 83 (response.read().decode...) if there is no data in the response.
I find that this happens at least once while running the ip reputation generator on reasonably large pulse subscriptions. As the exception is uncaught, the long-running getall_iter() fails and getting an updated reputation.list is very difficult.
Possibly failing with recently updated OTX API?
Traceback (most recent call last):
File "/opt/otx-suricata/suricata.py", line 141, in <module>
sclient.generate_rules(not args.skip_iprep, not args.skip_filemd5)
File "/opt/otx-suricata/suricata.py", line 37, in generate_rules
for pulse in self.client.getall_iter():
File "/usr/local/lib/python2.7/dist-packages/OTXv2.py", line 287, in getall_iter
json_data = self.get(next_page_url)
File "/usr/local/lib/python2.7/dist-packages/OTXv2.py", line 83, in get
data = response.read().decode('utf-8')
AttributeError: 'NoneType' object has no attribute 'read'
When run with Python3 (v3.7.3) warnings output for unsupported lib versions...
/usr/lib/python3/dist-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.25.2) or chardet (3.0.4) doesn't match a supported version!
Hello,
How can I run the script behind a HTTPS-Proxy?
Thanks in advance.
Semi-colons in a number of default OTX rules are not being escaped correctly...
#22/11/2018 -- 02:08:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Cross-Platform Adware'
#22/11/2018 -- 02:08:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Cross-Platform Adware; OSX/Pirrit"; filemd5:5707d68267db8c4b471bdacf.txt; reference: url, otx.alienvault.com/pulse/5707d68267db8c4b471bdacf; sid:415921; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8404
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse OilRig uses ISMDoor variant'
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse OilRig uses ISMDoor variant; Possibly Linked to Greenbug Threat Group"; filemd5:5979ed91a87db72373caeedb.txt; reference: url, otx.alienvault.com/pulse/5979ed91a87db72373caeedb; sid:416715; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25898
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse ''
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse 'Los Pollos Hermanos' crypto ransomware using PowerShell Empire"; filemd5:555b6414b45ff5650e2e4e03.txt; reference: url, otx.alienvault.com/pulse/555b6414b45ff5650e2e4e03; sid:417984; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 28848
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Zcrypt Expands Reach as ''
#22/11/2018 -- 02:08:06 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Zcrypt Expands Reach as 'Virus Ransomware'"; filemd5:5758c4e8377bbb01340e895d.txt; reference: url, otx.alienvault.com/pulse/5758c4e8377bbb01340e895d; sid:415361; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 33699
#22/11/2018 -- 02:08:07 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse New "'
#22/11/2018 -- 02:08:07 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse New "Bart" Ransomware from Threat Actors Spreading Dridex and Locky"; filemd5:576da1ebf9467301352ce785.txt; reference: url, otx.alienvault.com/pulse/576da1ebf9467301352ce785; sid:412489; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 73956
#22/11/2018 -- 02:08:08 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword msg: '"OTX - FILE MD5 from pulse Trickbot Implements Network Collector Module Leveraging CMD, WMI &'
#22/11/2018 -- 02:08:08 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP"; filemd5:5ac41c2acc63930ce439ce9e.txt; reference: url, otx.alienvault.com/pulse/5ac41c2acc63930ce439ce9e; sid:411456; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 82590
The suricata.py file generates same signatures with different filemd5 hashes for the same attack type. Any help here would be greatly appreciated. Thank you so much for providing this integration point!! It's very appreciated!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.