Just added this to my fw_upgrade sh batch file in the update rules section:
curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules Info from their website (https://sslbl.abuse.ch ): SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section. After adding, I ran fw_upgrade and everything worked as expected and finished without error messages.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Nice find, added and now problems found.
Roadrunnere42 |
Administrator
|
Just added to my ruleset, thank you!
Running the latest OpenWrt stable release
|
Administrator
|
Just noticed at https://sslbl.abuse.ch/blacklist/ that it mentions that the Dyre C&C botnet is a separate list so add this one too:
curl -k -1 -m 40 -o /tmp/ramdisk/abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules Note that depending on which version udpate script you are on change tmp to mnt
Running the latest OpenWrt stable release
|
Thank you! Updated!
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Guys,
Any chance you could give a brief how-to to apply these updates? Just a little bit more detail would be great. Thanks in advance
Running v2 Firmware
|
How to change which snort rules to use.
In the folder sbin you will see the fw_upgrade script which every night goes and download and upgrade with the latest snort rules and web filter rules. Using either winscp or the command prompt in linux which every you prefer to open and edit files. Open the file fw_upgrade (sbin/fw_upgrade) and scroll down till you see the following, as you can see if the line begins with # this means that its a commented out and the line is ignored when run. Each line that begins with curl is a snort rules set, the first 16 lines are what was the original sets that itus had set up, below these line are a few comments explaining what the new rule suggested by wisiwyg does and then the new rule set curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules just copy and paste in file as I have below, save file, then rule fw_upgrade either in command line sh /sbin/fw_upgrade or via gui (status --> itus setting --> upgrade shield) if you what to disable a rule set just put a # at the begin of the line. The rule set # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules ,if you decide to uncomment it so that it becomes active then you have to modified the snort conf files because of the number of rules contained in that set will crash snort echo "Starting SNORT rule download..." curl -k -1 -m 40 -o /tmp/ramdisk/botcc.portgrouped.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.portgrouped.rules curl -k -1 -m 40 -o /tmp/ramdisk/botcc.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.rules curl -k -1 -m 40 -o /tmp/ramdisk/ciarmy.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-ciarmy.rules curl -k -1 -m 40 -o /tmp/ramdisk/compromised.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-compromised.rules curl -k -1 -m 40 -o /tmp/ramdisk/dshield.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-dshield.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-exploit.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-exploit.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-malware.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-malware.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-mobile_malware.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-mobile_malware.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-user_agents.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-user_agents.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_client.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_client.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-worm.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-worm.rules curl -k -1 -m 40 -o /tmp/ramdisk/emerging-current_events.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-current_events.rules # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules # curl -k -1 -m 40 -o /tmp/ramdisk/drop.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-drop.rules # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_specific_apps.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_specific_apps.rules # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-scan.rules https://rules.emergingthreats.net/open/snort-edge/rules/emerging-scan.rules # new rule site as suggested SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified # by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates # and offers various blacklists that can found in the SSL Blacklist section. curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules echo " " echo "Working on snort rules, please wait... may take up to a minute" Hope this helps Roadrunnere42 |
Free forum by Nabble | Edit this page |