From 78c35045711a3c7038f2a6d95db106ad4030b4d9 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 7 Nov 2022 15:23:20 +0200 Subject: [PATCH 1/3] Fix YAML loading for latest Python versions. --- traffic-id.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traffic-id.py b/traffic-id.py index 02e86c4..6b91348 100755 --- a/traffic-id.py +++ b/traffic-id.py @@ -149,7 +149,7 @@ def generate_rules(args): if filename.endswith(".yaml"): path = os.path.join(dirpath, filename) with open(path) as fileobj: - config = yaml.load(fileobj) + config = yaml.load(fileobj, Loader=yaml.Loader) if "labels" in config: LABELS.update(config["labels"]) if "id-map" in config: From 85c068d6bc370ceb4c30f86e24c2ba27d543fe37 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 7 Nov 2022 15:23:50 +0200 Subject: [PATCH 2/3] Add "rev" to generated http rules. It was there for TLS rules, but not for http rules. --- traffic-id.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traffic-id.py b/traffic-id.py index 6b91348..056253a 100755 --- a/traffic-id.py +++ b/traffic-id.py @@ -125,7 +125,7 @@ def print_rules(args, output, config): if not args.disable_noalert: options.append("noalert") - options += ["sid:%d" % (SID)] + options += ["sid:%d" % (SID), "rev:1"] print("alert %s any any -> any any (%s;)" % ( proto, "; ".join(options)), file=output) From bda5fada338f1be26090e84fdaa775956000b072 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 7 Nov 2022 15:24:29 +0200 Subject: [PATCH 3/3] Regen rules. --- rules/traffic-id.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/traffic-id.rules b/rules/traffic-id.rules index 1a942db..5e262ed 100644 --- a/rules/traffic-id.rules +++ b/rules/traffic-id.rules @@ -52,5 +52,5 @@ alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: twitter"; tls_sni; conte alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: whatsapp"; tls_sni; content:"whatsapp.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/whatsapp; flowbits:set,traffic/label/im; flowbits:set,traffic/label/file-transfer; noalert; sid:300000029; rev:1;) alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: instagram"; tls_sni; content:"instagram.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/instagram; flowbits:set,traffic/label/social-network; noalert; sid:300000030; rev:1;) alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: instagram"; tls_sni; content:"cdninstagram.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/instagram; flowbits:set,traffic/label/social-network; noalert; sid:300000031; rev:1;) -alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Debian APT-GET"; content:"debian.org"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/debian-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000032;) -alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Ubuntu APT-GET"; content:"ubuntu.com"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/ubuntu-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000033;) +alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Debian APT-GET"; content:"debian.org"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/debian-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000032; rev:1;) +alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Ubuntu APT-GET"; content:"ubuntu.com"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/ubuntu-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000033; rev:1;)