A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.
./tepig.pl [ [--file=LOCAL_FILE] | [--url=URL] ] [--csv=FIELD_NUM] [--sid=INITIAL_SID] [--ids=[snort|cisco]] | --help
LOCAL_FILE is a file stored locally that contains a list of malicious domains, IP addresses and/or URLs. If omitted then it is assumed that a URL is provided. URL is a URL that contains a list of malicious domains, IP addresses or URLs. The default is https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist . FIELD_NUM is the field number (indexing from 0) that contains the information of interest. If omitted then the file is treated as a simple list. INITIAL_SID is the SID that will be applied to the first rule. Every subsequent rule will increment the SID value. The default is 9000000.
./tepig.pl --url= https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist is a plain text file containing a list of known bad IP addresses. At the time of writing, the first entry is 220.127.116.11. The first rule output would be:
alert ip any any <> 18.104.22.168 any (msg:"Traffic to known bad IP (22.214.171.124)"; reference:"url, https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist "; sid:9000000; rev:0;)
This rule looks for any traffic going to or coming from the bad IP address.
./tepig.pl --url= http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt is a plain text file containing a list of known bad domain names. At the time of writing the first entry is .bethira.com. The first rule output would be:
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for .bethira.com"; reference:"url, http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt "; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth: 10; offset: 2; content:"|07|bethira|03|com"; nocase; distance:0; sid:9000000; rev:0;)
This rule looks for any DNS lookup for the bad domain.