Multi-threaded suricata search module for MISP
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
imgs
README.md
keys.py.sample
suricata_search.py

README.md

Description

Get all attributes, from a MISP (https://github.com/MISP) instance, that can be converted into Suricata rules, given a parameter and a term to search

requires

Usage

  • suricata_search.py -p tags -s 'APT' -o misp_ids.rules -t 5

    • search for 'APT' tag
    • use 5 threads while generating IDS rules
    • dump results to misp_ids.rules
  • suricata_search.py -p tags -s 'APT' -o misp_ids.rules -ne 411 357 343

    • same as above, but skip events ID 411,357 and 343
  • suricata_search.py -p tags -s 'circl:incident-classification="malware", tlp:green' -o misp_ids.rules

    • search for multiple tags 'circl:incident-classification="malware", tlp:green'
  • suricata_search.py -p categories -s 'Artifacts dropped' -t 20 -o artifacts_dropped.rules

    • search for category 'Artifacts dropped'
    • use 20 threads while generating IDS rules
    • dump results to artifacts_dropped.rules

Conf

  • rename keys.py.sample to keys.py
  • set appropriate value for:
    • misp_url
    • misp_key

Screenshots

python3 suricata_search.py -p tags -s 'APT' -o misp_ids.rules -t 5

suricata_search_tag

python3 suricata_search.py -p tags -s 'APT, tlp:green' -o misp_ids.rules -t 5

suricata_search_tag_x2