Given a file containing a list of fully qualified DNS domains, quickburn generates IDS rules which detect those domains (and their subdomains) in DNS queries, the HTTP Host header, or TLS SNI (or all of the above!). quickburn supports Snort, Suricata 4, and Suricata 5, and tries to use the most efficient methods available for each option.
If you publish IOCs independently, it's pretty much a crapshoot if those IOCs will get picked up and integrated into security products that can protect people. If you generate and submit signatures to Emerging Threats using quickburn, you can contribute useful day-one defenses which are consumed by thousands or millions of networks around the world, such as networks using:
- pfSense and opnSense (if IDS is configured)
- Ubiquiti security gateways
- Synology routers
...and many others. quickburn could also introduce more people to contributing to Emerging Threats.
quickburn is a Python script which uses command line options, and should support any OS.
% git clone https://github.com/tweedge/quickburn
% cd quickburn
% python3 quickburn.py --help
- --input [file_name] - The name of the file containing a list of domains, one domain per line
- --output [folder_name] - The name of the folder to output your IDS rules to
One or more of the below is required:
- --dns - Generate IDS rules to find domains in DNS queries
- --http - Generate IDS rules to find domains in HTTP host headers
- --tls - Generate IDS rules to find domains in TLS SNI fields
- --sid [number] - Optional: The rule ID to start numbering incrementally at (default is 1000000, must be between 1000000-2000000)
- --reason [text] - Optional: A custom reason to include in each rule's message (ex. "ViperSoftX CnC")
- --reference [text] - Optional: A URL to include as a reference in each rule (ex. a research article)
python3 quickburn.py --input sample/sampledns.txt --output test-rules --dns --tls
The above uses the sample domains in sampledns.txt and:
- Creates a folder
test-rules, - Creates files
snort.rules,suricata4.rules,suricata5.rulesin thetest-rulesfolder - Creates rules in each file which detects the domains in
sampledns.txtin DNS queries and TLS SNI
The output rules will be sorted by what IDS they support, ex:
foldername/
snort.rules
suricata4.rules
suricata5.rules
Each output file has one rule per line for that IDS. If you're submitting rules to Emerging Threats, submit all of these to save the ET staff time converting rules between each IDS manually.
This project is based on dns2snort, which is originally by da667 (with contributions from @botnet_hunter and @3XPlo1T2).
- Please note that none of the sample domains in
sample/are malicious. They are samples for testing only. - Several changes have been made from da667's dns2snort script. quickburn is not backwards compatile.