| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
[SAFE-ID: JIWO-2024-3294] 作者: 小螺号 发表于: [2023-05-07]
本文共 [124] 位读者顶过
1.根据关键字查询规则
2.根据SID查询
3.二进制包工具使用
Python 代码
import requests
import tarfile
import os
import re
# 下载ET OPEN规则文件
def et_rules_download():
version = input("请输入Suricata的版本号(例:6.0.8)\n")
print("正在同步ET规则请等待...")
url = f"https://rules.emergingthreats.net/open/suricata-{version}version/emerging.rules.tar.gz"
header = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"}
response = requests.get(url,headers=header)
rules_files = response.content
with open("emerging.rules.tar.gz","wb") as f:
f.write(rules_files)
print("同步ET规则完毕!")
# 解压规则文件
def untar_rules_files(rules_files):
rules_files = tarfile.open(rules_files)
rules_files.extractall()
# 罗列规则文件
def list_rules_files():
rules_files_list = os.listdir("rules")
rules_name_list = []
for rule in rules_files_list:
if ".rules" in rule:
rules_name_list.append(rule)
return rules_name_list
# 读取每一个rules文件
def get_rules():
rule_list = []
for rules_name in list_rules_files():
with open ("rules/"+rules_name,"r") as f1:
rule = f1.readlines()
for line in rule:
if "alert" in line:
rule_list.append(line)
return rule_list
# 格式化alert规则的显示
def get_alert_rule_list():
alert_rule_list = []
for rule in get_rules():
alert_name = re.findall('msg:(.+?);', rule)
alert_name = "## 告警名称:" + "".join(alert_name).replace('"',"") + " ##"
alert_sid = re.findall('sid:(.+?);', rule)
alert_sid = "## SID:" + "".join(alert_sid).replace('"',"") + " ##"
alert_rule = alert_name + "\n" + alert_sid + "\n" + "## 规则内容:##\n--------------\n" + rule + "--------------\n"
alert_rule_list.append(alert_rule)
return alert_rule_list
# 搜索和显示alert规则
def display_alert():
find_alert_list = []
alert_filter = input("请输入需要告警名称、SID、关键字进行告警规则查询。\n")
for line in get_alert_rule_list():
if alert_filter in line:
find_alert_list.append(line)
print("\n".join(find_alert_list))
# 执行主程序调用函数
if __name__ == "__main__":
# 判断是否已经下载过规则文件
if "emerging.rules.tar.gz" not in os.listdir():
et_rules_download()
untar_rules_files("emerging.rules.tar.gz")
display_alert()
else:
untar_rules_files("emerging.rules.tar.gz")
display_alert()
用于制作二进制包的Python代码
import requests
import tarfile
import os
import re
# 下载ET OPEN规则文件
def et_rules_download():
version = input("## 请输入Suricata的版本号(例:6.0.8) ##\n")
print("## 正在同步ET规则请耐心等待... ##")
url = f"https://rules.emergingthreats.net/open/suricata-{version}version/emerging.rules.tar.gz"
header = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"}
response = requests.get(url,headers=header,stream=True)
file_size = (int(response.headers.get('content-length',0)))
chunk_size = 0
with open("emerging.rules.tar.gz","wb") as f:
for chunk in response.iter_content(1024):
chunk_size = chunk_size + len(chunk)
print('-- ET规则库同步进度: {:.2%} --'.format(chunk_size/file_size))
f.write(chunk)
print("\n-- 同步ET规则完毕! --")
# 解压规则文件
def untar_rules_files(rules_files):
rules_files = tarfile.open(rules_files)
rules_files.extractall()
# 罗列规则文件
def list_rules_files():
rules_files_list = os.listdir("rules")
rules_name_list = []
for rule in rules_files_list:
if ".rules" in rule:
rules_name_list.append(rule)
return rules_name_list
# 读取每一个rules文件
def get_rules():
rule_list = []
for rules_name in list_rules_files():
with open ("rules/"+rules_name,"r") as f1:
rule = f1.readlines()
for line in rule:
if "alert" in line:
rule_list.append(line)
return rule_list
# 格式化alert规则的显示
def get_alert_rule_list():
alert_rule_list = []
for rule in get_rules():
alert_name = re.findall('msg:(.+?);', rule)
alert_name = "## 告警名称:" + "".join(alert_name).replace('"',"") + " ##"
alert_sid = re.findall('sid:(.+?);', rule)
alert_sid = "## SID:" + "".join(alert_sid).replace('"',"") + " ##"
alert_rule = alert_name + "\n" + alert_sid + "\n" + "## 规则内容: ##\n--------------\n" + rule + "--------------\n"
alert_rule_list.append(alert_rule)
return alert_rule_list
# 搜索和显示alert规则
def display_alert():
find_alert_list = []
alert_filter = input("\n\n-- 请输入需要告警名称、SID、关键字进行告警规则查询 --\n\n")
for line in get_alert_rule_list():
if alert_filter in line:
find_alert_list.append(line)
print("\n-- 查询结果如下 --\n")
print("\n".join(find_alert_list))
# 执行主程序调用函数
if __name__ == "__main__":
while True:
# 判断是否已经下载过规则文件
if "emerging.rules.tar.gz" not in os.listdir():
et_rules_download()
untar_rules_files("emerging.rules.tar.gz")
display_alert()
print("-- 查询完毕 --\n")
x = input("-- 继续查询直接回车,按q进行退出 --\n")
if x == "q":
break
else:
untar_rules_files("emerging.rules.tar.gz")
display_alert()
print("-- 查询完毕 --\n")
x = input("-- 继续查询直接回车,按q进行退出 --\n")
if x == "q":
break
