Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/regit/luaevilbit

A lua implementation of RFC 3514 for suricata
https://github.com/regit/luaevilbit

Last synced: 9 days ago
JSON representation

A lua implementation of RFC 3514 for suricata

Host: GitHub
URL: https://github.com/regit/luaevilbit
Owner: regit
Created: 2012-11-22T12:47:22.000Z (almost 12 years ago)
Default Branch: master
Last Pushed: 2012-11-22T14:06:00.000Z (almost 12 years ago)
Last Synced: 2024-08-02T07:12:14.520Z (3 months ago)
Language: Lua
Size: 95.7 KB
Stars: 2
Watchers: 4
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.rst

Awesome Lists containing this project

awesome-suricata - luaevilbit - An Evil bit implementation in luajit for Suricata. (Rule/Security Content Management and Handling)

README

        =================================================

An Evil bit implementation in luajit for Suricata

=================================================

What's is this

==============

This is an implementation of RFC 3514 for Suricata written by

`Guillaume Prigent `_ and available in public

domain.

Description

===========

The `RFC 3514 `_ has been published 1 April 2003 and

define a security flag in the IPv4 header as a means of distinguishing good packets

from evil packets.

Implementation details are provided for IDS ::

 Because of their known propensity for false negatives and

 false positives, IDSs MUST apply a probabilistic correction

 factor when evaluating the evil bit.

To implement this in Suricata, we need to have access to random number. This is not

provided by classic rules, so a good way to do so is to create a luajit signature.

Testing

=======

To be able to use luajit signatures, you need to use at least suricata 1.4-beta2. And you

must build it with luajit enabled. For that you need to have luajit on your system.

On debian and ubuntu, you can install libluajit-5.1-dev ::

 sudo aptitude install libluajit-5.1-dev

Once this is done, you can build Suricata ::

 $ ./configure --enable-luajit

 $ make

 $ make install

 $ make install-full # install configuration and download rules

Enter into luaevilbit directory and copy evilflag.lua to rules directory ::

 $ sudo cp evilflag.lua /usr/local/etc/suricata/rules/

You can then run ::

 $ sudo suricata -i eth0 -S evilflag.rules

In another terminal #1 ::

  $ sudo tail -F /usr/local/var/log/suricata/fast.log 

In another terminal #2 (replace ip address 192.168.10.230 by what you want) ::

  

  $ sudo icmp_evil_flag.py 192.168.10.230

In the terminal #1 here you see ::

  10/20/2012-18:39:44.820424  [**] [1:2:0] LUAJIT Evil Flag [**] [Classification: (null)] [Priority: 3] {ICMP} 0.0.0.0:8 -> 192.168.10.230:0