A new generation network detection format inspired from Sigma.
You can test the format here nyx.alpinedev.fr
Note
This is an ongoing work (not yet alpha), there could be some incoherences between parts of the project
We are dealing with specific rules of different IPS/IDS, and we need to find a common basis to discharge analyst from the burden of knowing all the details of multiple IPS/IDS. A simple format, like Sigma, will allow all analysts to easily craft their own rules, which can be converted then on the IDS/IPS format of their choice. We want this format to be extensive, as the network rules can be fine tuned to be more efficient following each IPS/IDS specificity.
We don't want to be exhaustive and fully compliant with one format or another, our objective is to conceptualize network rules and remove useless complexities from analysts.
We will first focus on suricata and snort formats.
Watch the format specification
Go to the current issues i am struggling with on current thinking
I deployed a web app to test the format here nyx.alpinedev.fr.
A baby script is also available on pypi :
pip install pynyx
nyx your_rule.yamlYou can check that the rule is suricata validated by copying your rule to a file and running :
./scripts/test_alert_suricata.sh ./tests/test.rules # replace here with your file with your suricata alert inside