Other sources to convert/bridge (OWASP)
drzraf opened this issue · 0 comments
drzraf commented
Other free sources from suricata IDS:
- oisf/trafficid https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
- sslbl/ja3-fingerprints https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules
- et/open https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
- ptresearch/attackdetection https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
- sslbl/ssl-fp-blacklist https://sslbl.abuse.ch/blacklist/sslblacklist.rules
- tgreen/hunting https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
- etnetera/aggressive https://security.etnetera.cz/feeds/etn_aggressive.rules
- https://github.com/seanlinmt/suricata/tree/master/files/rules
- https://urlhaus.abuse.ch/downloads/urlhaus.tar.gz
WAF:
- https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.3/dev/rules / https://www.modsecurity.org/rules.html
The later contains things XSS/SQL injection like union select
or (\|\| || OR || AND) 1==1
.... and many more which are missing from the current list (but less CMS-specific rules).
Don't you think that supporting/converting rules from owasp-modsecurity-crs
would be a nicer long-term strategy. That way new rules provided there could automatically be used by fail2ban?