Convert Pads signature to Bro-NIDS
A few months back Bamm from Sguil has included PADS (Passive Asset Detection System) into Sguil to assist in network asset discovery passively. Although this is a great adding to Sguil, unfortunately PADS is no longer maintained by the original author.
Geek00l has written a nice article about converting PADS signature into Bro-NIDS signature.
To convert the PADS signature to Bro-NIDS signature, he is using egrep, awk and sed to get this done.
For me that is too much hassle, so I have written a small Perl to get the same thing done.
Here is my first alpha release of converting PADS signature to Bro signature
#!/usr/bin/perl -w
use strict;
my ($srv, $ver, $sig, $osrv);
my $cnt = 1;
while (<>) {
# remove empty lines and lines with comment
next if ( /^(?:#|\s+$)/);
# split each section up into (service, version and signature)
($srv, $ver, $sig) = split(/,/);
chomp($sig);
# remove (unwanted) entries from the signature
$ver =~ s!v/([\w\d\s\.]+)?.*$!$1!;
# set an unique signature-Id
$cnt = 1 if ( $osrv ne "$srv");
$osrv = $srv;
$srv = sprintf("%s-%03d", $srv, $cnt);
$cnt++;
# print the outcome to stdout
print <<EOL;
signature $srv
{
ipproto == tcp
src-ip != local_nets
dst-ip == local_nets
event \"$ver\"
tcp-state established
payload /$sig/
}
EOL
}
Well, it is still a first release, it looks quite alright! Hopefully in the near future can include this into Sguil and move away from PADS. Maybe Bro-NIDS all together.
Leave a comment