Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

research and create detectors for items from the Known Exploited Vulnerabilities Catalog #251

Closed
mmguero opened this issue Sep 5, 2023 · 5 comments
Closed

research and create detectors for items from the Known Exploited Vulnerabilities Catalog #251

mmguero opened this issue Sep 5, 2023 · 5 comments
Assignees
@IdahoManny
Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices zeek Relating to Malcolm's use of Zeek

Comments

@mmguero
Copy link
Collaborator

mmguero commented Sep 5, 2023

Links

Summary

It would be valuable for the Malcolm development team to identify ICS-focused vulnerabilities specified in the CISA KEV catalog and create detectors for them. Most likely these would be in the form of Zeek notices, although we also have Suricata, YARA, the anomaly detection plugin, potentially Sigma (see #162), or anything else at our disposal to do so.

As we identify items from the KEV catalog, we should create individual bugs for each of them that reference back to this issue.
@mmguero mmguero added enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices zeek Relating to Malcolm's use of Zeek labels Sep 5, 2023
@IdahoManny IdahoManny self-assigned this Nov 13, 2023
@mmguero mmguero added the CISA label Nov 13, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 14, 2023

@IdahoManny our DHS lead suggested looking at "this zyxel vuln" as a good option for KEV detection

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 27, 2023

This might be a resource worth looking at: https://networkforensic.dk/SNORT/

@mmguero mmguero modified the milestones: v23.12.1, v24.01.0 Dec 5, 2023
@IdahoManny
Copy link
Collaborator

IdahoManny commented Dec 13, 2023
edited
Loading

Hello Seth,
Suricata tested rules have been created based on the Zyxel SektorCERT Report. Ran into issues with the creation of Zeek notices. I've created some, but they would not validate when testing. I will have to do more research on Zeek notices.
Tested-snort-suricata-SektorCERT-rules.txt

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 13, 2023
@mmguero
idaholab#251; include CVE-2023-28771 rule based on Zyxel SektorCERT R…
e5f63bf 
…eport
@mmguero mmguero mentioned this issue Dec 18, 2023
Closed
@mmguero
Copy link
Collaborator Author

mmguero commented Dec 18, 2023

We're going to track these individually going forward. As new detectors/rules are developed, create individual rules for the KEV/CVE.

@mmguero mmguero removed this from the v24.01.0 milestone Dec 18, 2023
@mmguero mmguero closed this as completed Dec 18, 2023
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 17, 2024
@mmguero
Merge pull request idaholab#251 from cisagov/dependabot/pip/api/flask…
a283feb 
…-2.3.2

Bump flask from 2.0.2 to 2.3.2 in /api
@IdahoManny
Copy link
Collaborator

Hello Seth, from email, I've attached Suricata Snort rules for CVE-2023-6448.
snort_cve-2023-6448rules.txt
suricata_cve-2023-6448rules.txt

@mmguero mmguero mentioned this issue Jan 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IdahoManny IdahoManny

Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Invalid
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmguero @IdahoManny