From patchwork Thu Feb 15 12:58:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 7551
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TbFWB112Bz3wtK
	for <patchwork@web04.haj.ipfire.org>; Thu, 15 Feb 2024 12:59:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TbFW75yBhz1C7;
	Thu, 15 Feb 2024 12:58:59 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TbFW73Pxjz30HS;
	Thu, 15 Feb 2024 12:58:59 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TbFW56lfwz308D
	for <development@lists.ipfire.org>; Thu, 15 Feb 2024 12:58:57 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4TbFW44MxRz17s;
	Thu, 15 Feb 2024 12:58:56 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1708001936;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=tpPRyECYIuGhkUMRprqYi9P/VODtyW36URYeKoL2erY=;
	b=KTQAs9VjBwTtlB+MoCe/IrXr/vrGfH4aZsM3CWj1jYk6srlYIFUNBqLIKwwE18cBqy+fMn
	4d8PpJ9sbVh6hdCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1708001936;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=tpPRyECYIuGhkUMRprqYi9P/VODtyW36URYeKoL2erY=;
	b=kfWtCUL2iq4W+GKqCXpnc7pNZxFLGiLZ1Hcm1pvvsYKpUDfR0qAf3pJ0ap+Zdod82kcq/F
	iUolt8g4ndzuwgVuMIaXhtSrn/GCbGMTO0ze4xlAimtyVt6zlEaXgx2xft0kBP9U0HdLEN
	1qAHxB4tZxq6/pNvLYSP7oaF4kxrQn/rvnmdBHTpbQlUMD2F/qEOdB8ycfa7O89NqRPbkb
	pLTD67NVz8sR/JbaGRnapf8Hvd7sfTLp3W+HAtPO4+JHTkiCY/JmGVq47NwKxJW16tmIQK
	CBXEQTbxJ6wpMTFtjW0jyHLBvOq6BoECJ0q3YqiLeSyFe6bjOm1xRUoFq0pQKg==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] ruleset-sources: removal of PT Attack & Secureworks +
 addition of ThreatFox
Date: Thu, 15 Feb 2024 13:58:35 +0100
Message-ID: <20240215125835.7874-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: 3AYS2YNRX3SE7Z6OWFKS2RMFUR3T2IBD
X-Message-ID-Hash: 3AYS2YNRX3SE7Z6OWFKS2RMFUR3T2IBD
X-MailFrom: adolf.belka@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/3AYS2YNRX3SE7Z6OWFKS2RMFUR3T2IBD/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
   The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
   ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
   error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
   rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
   rules are available but the plain version is being regularly updated while the archive
   version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
   mentioned by Stefan removing PT Attack means it is not available in the list of
   providers but the provider stays in the providers table but with the line shown in red.
   I will update the wiki to mention the red highlight and what it means.

Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/suricata/ruleset-sources | 44 ++++++---------------------------
 1 file changed, 7 insertions(+), 37 deletions(-)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 14d1b865f..2b3b4ffcb 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -97,44 +97,14 @@ our %Providers = (
 		dl_type => "plain",
 	},
 
-	# Positive Technologies Attack Detection Team rules.
-	attack_detection => {
-		summary => "PT Attack Detection Team Rules",
-		website => "https://github.com/ptresearch/AttackDetection",
-		tr_string => "attack detection team rules",
+	# ThreatFox
+	threatfox => {
+		summary => "ThreatFox Indicators Of Compromise Rules",
+		website => "https://threatfox.abuse.ch/",
+		tr_string => "threatfox rules",
 		requires_subscription => "False",
-		dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Security rules.
-	secureworks_security => {
-		summary => "Secureworks Security Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks security ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Malware rules.
-	secureworks_malware => {
-		summary => "Secureworks Malware Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks malware ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Enhanced rules.
-	secureworks_enhanced => {
-		summary => "Secureworks Enhanced Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks enhanced ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
-		dl_type => "archive",
+		dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules",
+		dl_type => "plain",
 	},
 
 	# Travis B. Green hunting rules.