Skip to content

Instantly share code, notes, and snippets.

@satta
Last active February 8, 2017 13:49
Show Gist options
  • Save satta/e47f7a6f0e44c9898804121e4d8c5f2e to your computer and use it in GitHub Desktop.
Save satta/e47f7a6f0e44c9898804121e4d8c5f2e to your computer and use it in GitHub Desktop.
Script to create 'worst case' rules with long random patterns, to stress Suricata's AC-based MPM engine.
#!/usr/bin/env lua
math.randomseed(os.time())
function string.random(length)
local t = {}
for i = 1,length do
table.insert(t, math.random(97,122))
end
return string.char(unpack(t))
end
function encodedns(s)
out = ""
for i in string.gmatch(s, "%w+") do
out = out .. string.format("|%02x|%s", string.len(i), i)
end
return out .. "|00|"
end
sid = 1000000
for i = 1,50000 do
local domain = string.random(math.random(40,80)) .. ".test"
local dnscontent = encodedns(domain)
print("alert udp $HOME_NET any -> any 53 (msg:\"TEST bad DNS query for "
.. domain .. " (c2-server|01234567-89ab-cdef-1234-567890abcd)\"; "
.. "content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; "
.. "content:\"" .. dnscontent .. "\"; fast_pattern; distance:0; "
.. "nocase; classtype:trojan-activity; gid:1; sid:" .. sid .. "; rev:1;)")
sid = sid + 1
print("alert http $HOME_NET any -> any any (msg:\"TEST bad HTTP request for "
.. domain .. " (c2-server|01234567-89ab-cdef-1234-567890abcd)\"; "
.."content:\"".. domain .. "\"; depth:".. string.len(domain)
.. "; fast_pattern; http_host; classtype:trojan-activity; gid:1; "
.. "sid:" .. sid .. "; rev:1;)")
sid = sid + 1
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment