-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcsv_to_suricata.py
33 lines (25 loc) · 1.28 KB
/
csv_to_suricata.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import csv
from datetime import datetime
# IOC from https://github.com/AssoEchap/stalkerware-indicators maintained by https://echap.eu.org
ioc_from_echap = 'network.csv'
sid_start = 1000000
sid = sid_start
output_rules_file = 'suricata.rules'
def fang(s):
return s.replace('.', '[.]')
with open(output_rules_file, mode='w') as output:
with open(ioc_from_echap, newline='') as ioc_list:
reader = csv.DictReader(ioc_list)
for ioc in reader:
ioc_type = ioc.get('Type')
ioc_indicator = ioc.get('Indicator')
ioc_app = ioc.get('App')
if ioc_type == 'domain':
rule = f'alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE {ioc_app} ({fang(ioc_indicator)})"; dns.query; content:"{ioc_indicator}"; depth:{len(ioc_indicator)}; nocase; endswith; fast_pattern; reference:url,piroguetoolsuite.github.io/; classtype:targeted-activity; sid:{sid}; rev:1;)\n'
sid += 1
output.write(rule)
if ioc_type == 'ipv4':
rule = f'alert ip $HOME_NET any -> [{ioc_indicator}] any (msg:"PTS STALKERWARE {ioc_app} ({fang(ioc_indicator)})"; classtype:targeted-activity; sid:{sid}; rev:1;)\n'
sid += 1
output.write(rule)
assert(sid < 1999999)