Skip to content

Commit 617d5c7

Browse files
rmarsollierrmarsollier
committed
minor fixes
1 parent 9705730 commit 617d5c7

File tree

2 files changed

+9
-8
lines changed

2 files changed

+9
-8
lines changed

README.md

+8-7
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
# bl2ru2
2-
This tool is aimed to be the succesor of bl2ru.
2+
This tool is aimed to be the successor of bl2ru.
33

4-
This tools creates suricate rules for the following IOC types:
4+
This tools creates suricata rules for the following IOC types:
55
- domain: DNS request rule, HTTP request rule and TLS SNI rule
66
- IP: IP rule
7-
- URL: HTTP/URL request rule
7+
- URL: HTTP/URL request rule (not yet fully tested)
88

99
While the original bl2ru performed dns requests to retrieve ip adresses associated with each domain of the domain list given (and thus sometimes duplicating rules), this tool takes another approach and let your TI determine this and only create rules for given input, without trying any enrichment of the data.
1010

1111
To ensure maximum efficiency ofthis tool, your upstream Threat Intelligence should take care of:
12-
- eliminate duplicates
13-
- enrich data correctly
14-
- split data (i.e. split conix.fr/nos-expertises/ssi/ in conix.fr and /nos_expertises/ssi)
12+
- duplicates elimination
13+
- data enrichment
14+
- data splitting (i.e. split conix.fr/nos-expertises/ssi/ in conix.fr and /nos_expertises/ssi)
1515

1616
# Usage
1717
```
@@ -27,14 +27,15 @@ optional arguments:
2727
Output file (default is stdou)
2828
--ssid SSID, -s SSID Starting sid of the generated rules
2929
--emitter EMITTER, -e EMITTER
30-
Emitter of the rules, default: bl2ru2
30+
Emitter of the rules, default: bl2ru2
3131
3232
```
3333
The input file must be a csv-like file (delimiter is a space) containing the following information, 3 rows :
3434
- first row : Threat name
3535
- second row : Link to a reference
3636
- third row : IOC
3737

38+
Like:
3839
```
3940
LuminosityLink http://www.conix.fr 030092056f0368639145711a615d3b7f.co.cc
4041
```

bl2ru2.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ def gen_uri_rule(name, url, ref, sid):
9292
rule_content = ' content:"?%s=";'%(params[0].split("=")[0])
9393
for param in params[1:]:
9494
# escaping ';'
95-
param = param.replace(';', r'\;')
95+
param = param.replace(';', r'|3b|')
9696
rule_content += ' content:"&%s=";'%(param.split("=")[0])
9797
rule = (URL_BASERULE%(ORG, name, uri, uri, rule_content, ref, sid))
9898
return rule

0 commit comments

Comments
 (0)