Suricata connector added general script for listing all CVE's from Suricata...

Suricata connector added general script for listing all CVE's from Suricata rules files. Just run with argument --path, which leads to Suricata rules folder.

Suricata connector added general script for listing all CVE's from Suricata...
75cc0702 · Pavel Eis · Pavel Kácha · 07e96211 · 75cc0702
Commit 75cc0702 authored 7 years ago by Pavel Eis Committed by Pavel Kácha 2 years ago
--- a/suricata/get_CVE_list.py
+++ b/suricata/get_CVE_list.py
+import re
+import os
+import optparse
+import sys
+def get_args():
+    parser = optparse.OptionParser(
+        usage="usage: %prog path",
+        description="Check all CVE records in Suricata detection rules and save them into CVE_list.txt")
+    parser.add_option(
+        "--path",
+        action="store",
+        help="Path to directory of Suricata detection rules")
+    return parser
+def main():
+    optp = get_args()
+    opts, args = optp.parse_args()
+    if not opts.path:
+        optp.print_help()
+        sys.exit()
+    # suricata data log file
+    files_list = os.listdir(opts.path)
+    # look for pattern: (CVE|cve)(-|,)DDDD-DDDDDDDDDD--->
+    cve_re = re.compile('(?:cve|CVE)[-,]\d{4}-\d+')
+    # look for pattern: sid: XXXXXXXXX--->;
+    sig_id = re.compile('sid:.*?(?=;)')
+    for file in files_list:
+        # if has suffix .rules
+        if ".rules" in file:
+            # path to file
+            file_path = os.path.join(opts.path, file)
+            file_path_cve_list = os.path.join(os.getcwd(), "CVE_list.txt")
+            rule_file = open(file_path, 'r')
+            processed_rules_file = open(file_path_cve_list, 'a')
+            processed_rules_list = []
+            for line in rule_file:
+                # look for lines with cve and signature and concat found results
+                if cve_re.search(line) and sig_id.search(line):
+                    # find all cve's in line
+                    actual_cve_record = cve_re.findall(line)
+                    # convert cve to CVE and replace CVE,XXXX for CVE-XXXX
+                    actual_cve_record = [y.replace("E,", "E-") for y in [x.upper() for x in actual_cve_record]]
+                    # delete duplicity and concatenate
+                    actual_cve_record = ', '.join(set(actual_cve_record))
+                    actual_sig_id = sig_id.search(line).group(0)
+                    record = actual_sig_id.replace("sid", "signature_id") + "    " + actual_cve_record + " -----> " + file
+                    if record not in processed_rules_list:
+                        processed_rules_list.append(record)
+            if processed_rules_list:
+                processed_rules_file.write("\n".join(sorted(processed_rules_list)))
+                processed_rules_file.write("\n")
+            processed_rules_list = []
+if __name__ == "__main__":
+    main()