Come Sail the CVEs Part 1: Data Acquisition

Tutorials, Tips & Tricks
, , , ,
1

Come Sail the CVEs Part 1 : Data Acquisition

Today I’m going to teach you how to turn proof of concept exploits, blog posts, and general threat research into Suricata rules, or at least how I do it.

It’s not terribly complex, but sometimes you’re given some sample screen caps on how the traffic looks as a part of a write-up, and its effortless to create detection from that, as the hard work is already done. Then other times, I have to lobotomize proof of concept code to get it to execute, throw the exploit myself, and capture it with tcpdump to get an actionable pcap.

If none of this makes sense, don’t worry. hopefully it will by the time I write all this out.

I’m gonna divide this up into two blog posts – One post will be about reliable data sources that you can dump into an RSS reader and peruse until you find something that interests you. The second part will be an exercise where I’ll pick out some posts I pulled from these RSS feeds, and how we can turn that content into Suricata rules.

Building an RSS feed

Listen, I know what some of you are thinking. Somebody probably told you that RSS is a dead technology. That you shouldn’t rely on it. That you should just deal with newsletters or try to curate social media feeds. As always, they are wrong. RSS is the path of least resistance between you and data. Here’s the title of a post, does it interest me? If yes, click to read, if no, mark as read and move on. Simple.

sail-cves-1
sail-cves-1729×852 41.7 KB

I have an absolute deluge of content to review from private blogs, company threat research blogs, subreddits, etc. Not all of them are strictly for hunting down CVEs and Proof-of-Concept code, some of them are malware reports/write-ups that we can provide coverage for as well.

What RSS Reader Should I use?

Trick question. Use whatever RSS reader platform you like. I settled on inoreader because at first glance it seems fine, however I can’t really give you a glowing review of Inoreader, because the interface is loaded with AI add-ons nobody asked for, and many features that are pay gated. However, it does the job of organizing my feeds, and if you ever decide to leave, the feeds can be exported fairly easily.

With all this outta the way, let’s talk about data sources.

Sources: International CERTs

A CERT is a Computer Emergency Response Team. Across the globe there are CERTs that help protect organizations in various countries. Most of the time, they’re pretty open about cybersecurity threats that are going around – New vulns, malware, etc. Sometimes however, they don’t really provide us actionable data to work with, other times, they provide special reports about malware campaigns, vulnerabilities used, etc. that are invaluable. Here are a few to look at:

  • CISA: https://www.cisa.gov/cybersecurity-advisories/all.xml
  • JP-Cert: https://blogs.jpcert.or.jp/en/atom.xml
  • Cert-PL: https://cert.pl/en/atom.xml
  • Cert-FR: https://www.cert.ssi.gouv.fr/feed/
  • Cert-BE: https://cert.be/en/rss
  • EU-Cert: https://cert.europa.eu/publications/threat-intelligence-rss
  • Cert-UA: https://cert.gov.ua/api/articles/rss

Note: Keep an eye on CISA. They recently claimed they’re dropping their RSS feeds and only going to post to the social media platform, X, only to backpedal from community feedback.

Sources: Subreddits

If you’re unfamiliar with Reddit, its a site that is more or less a newsfeed. They famously consider themselves “The front page of the Internet”. Reddit itself consists of several subforums called “subreddits” that cover various subjects. Subreddits can sometimes have a high noise to signal ratio, but other times may provide insight into things not covered by other RSS feeds. Here are some subreddits that have piqued my interest:

  • /r/netsec
  • /r/blueteamsec
  • /r/cybersecurity

But how do I turn them into rss feeds? Add /.rss to the end of a subreddit’s URI. For example, the RSS feed for /r/blueteamsec would be:

www.reddit.com/r/blueteamsec/.rss

Congratulations, you’ve acquired reddit without having to deal with reddit. Be aware that these RSS feed captures every post to every subreddit you follow. This could result in a lot of signal to noise posts to filter out. Filter/Remove/Add subreddits to your RSS feeds as your tastes dictate.

Sources: General Corporate Blogs

These are blogs from cybersecurity companies. Many of them provide information on a wide variety of content, but we’re mostly interested in:

  • Malware reports
  • Malware reports that possibly cite CVEs
  • Malware reports that cite CVEs and show you actionable data/IOCs
  • Details about the latest CVEs and Exploits (patch diffs, code analysis, proof-of-concept exploits, etc.)

With that in mind, Here is a collection of high quality feeds:

  • watchTowr Labs: https://labs.watchtowr.com/feed
  • Zero Day Initiative: https://www.thezdi.com/blog?format=rss
  • Sucuri: https://blog.sucuri.net/feed
  • Morphisec: https://www.morphisec.com/blog/topic/threat-research/feed/
  • NSFocus: https://nsfocusglobal.com/feed/
  • Huntress: https://www.huntress.com/blog/rss.xml
  • Sophos: https://news.sophos.com/en-us/category/threat-research/feed/
  • ASEC: https://asec.ahnlab.com/en/feed/
  • Sekoia: https://blog.sekoia.io/feed
  • Talos Blog: https://feeds.feedburner.com/feedburner/Talos
  • ESET/WeLiveSecurity: https://www.welivesecurity.com/en/rss/feed/
  • Flashpoint Intel: https://flashpoint.io/blog/author/flashpoint-intel-team/feed/
  • GDATA: https://feeds.feedblitz.com/GDataSecurityBlog-EN&x=1
  • Intel 471: https://intel471.com/blog/feed
  • Fortinet: https://feeds.feedblitz.com/fortinet/blog/threat-research
  • Praetorian: https://www.praetorian.com/feed/
  • Palo Alto/Unit42: https://unit42.paloaltonetworks.com/feed/
  • Sensepost: https://sensepost.com/rss.xml
  • Securelist/Kaspersky: https://securelist.com/feed/
  • Binary Defense Systems: https://www.binarydefense.com/feed/
  • ZScaler: https://www.zscaler.com/blogs/feeds/security-research
  • Checkpoint Research: https://research.checkpoint.com/feed/
  • Eclectic IQ: https://blog.eclecticiq.com/rss.xml
  • Akamai: https://feeds.feedburner.com/akamai/blog
  • BitDefender: https://www.bitdefender.com/nuxt/api/en-us/rss/labs/
  • Checkpoint Research: https://research.checkpoint.com/feed
  • Trend Micro: http://feeds.trendmicro.com/TrendMicroSimplySecurity
  • OTX Bot: https://social.raytec.co/@techbot.rss
  • PhishDestroy Alert: https://mastodon.social/@phishdestroy.rss

Sources: Vuln/Exploit Feeds

I saved the best for last. These are various services that just spray information about vulns, exploits, or malware write-ups:

  • AttackerKB: https://infosec.place/users/attackerkb/feed.atom
  • Brad (Malware Traffic Analysis): https://infosec.exchange/@malware_traffic.rss
  • Naosec: https://nao-sec.org/feed
  • BushidoToken: https://blog.bushidotoken.net/feeds/posts/default
  • Malpedia: https://malpedia.caad.fkie.fraunhofer.de/feeds/rss/latest
  • Doyensec: https://blog.doyensec.com/atom.xml
  • Malware Traffic Analysis (Direct): https://www.malware-traffic-analysis.net/blog-entries.rss
  • Rapid7 Blog: https://blog.rapid7.com/rss/
  • Full Disclosure Mailing List: https://seclists.org/rss/fulldisclosure.rss
  • ExploitDB: https://www.exploit-db.com/rss.xml
  • SANS ISC: https://iscxml.sans.org/rssfeed.xml
  • Talos Vulnerability Report Feed: https://www.talosintelligence.com/vulnerability_reports/feed
  • Project Black: https://projectblack.io/blog/rss/
  • DFIR Report: https://thedfirreport.com/feed/
  • Nuclei Template Releases (github): https://github.com/projectdiscovery/nuclei-templates/releases.atom
  • Shells.systems: https://shells.systems/feed/
  • Summoning Team: https://summoning.team/index.xml
  • Rhino Security Labs: https://rhinosecuritylabs.com/feed/

Note on AttackerKB: There are probably other RSS feeds for Rapid7’s attackerKB project buuut I use a feed that is from a maston bot’s account. Why? because it filters on asessments only. The assessments are what contain actionable information about vulnerabilities/CVEs, and what I’m usually most interested in.

Note on Brad vs. Malware Traffic Analysis: Brad is affiliated with Palo Alto’s Unit42. Sometimes he toots stuff he’s working on for his employer on Mastodon, other time he dumps stuff to his blog. Sometimes these things vary, so I’ve decided to follow both sources.

Mastodon Feeds

While I’m talking about maston accounts in general, fun fact: most mastodon instances and accounts can be “followed” via atom/rss. Notice URI struct above for attackerKB?

https://infosec.place/users/attackerkb/feed.atom

This is a .atom URI that can fed directly to an RSS reader.

Be aware, that some mastodon instances have a different URI structure for their user feeds that look something like this:

https://social.raytec.co/@techbot

This is a bot that monitors Alienvault’s OTX platform for Activity. For instances with URI structs like this, try requesting:

https://social.raytec.co/@techbot.rss

Github feeds

You may have noticed the feed above for nuclei-templates:

https://github.com/projectdiscovery/nuclei-templates/releases.atom

So it’s a little-known fact that github lets you create an atom feed out of the releases page. In some cases, like with nuclei-templates, they release REALLY AWESOME release notes that tells you everything that was recently added, and even includes lists of recently added CVE’s to the nuclei-templates repo.

Do you have a pre-built RSS feed I can just shove into my RSS Reader?

Sure do! I have placed a copy of my XML export from Inoreader over on my github. Inoreader claims that most RSS readers can import this blob of XML, but I have not tested this.

Please be aware that my complete export includes links to a couple of resources that I have not explicitly linked in this blog, but are still very insightful and useful for threat research and detection engineering in general.

Shouts and Greetz

Stu for sharing his feeds with me. Served as an excellent base to start with.

This guy’s blog post on RSS feeds he uses. I didn’t grab all of them, because not all of them were relevant to me. But maybe you care about red team things more than I do. Something something know your enemy.

This github repo. Its a little dated, but it contained many links to many bountiful resources that I had initially overlooked.

Feel free to share

This is a forum designed for feedback and collaboration. Feel free to share any resources I’ve missed or that you use for threat research and detection engineering, or just generally useful/insightful blogs with RSS/Atom feeds.

Part 2 is over here.

Happy Hunting,

-Tony

2 Likes