Skip to content
/ nyx Public

a new network detection format (sigma like but for network)

License

Notifications You must be signed in to change notification settings

arblade/nyx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Nyx

A new generation network detection format inspired from Sigma.

You can test the format here nyx.alpinedev.fr

Note

This is an ongoing work (not yet alpha), there could be some incoherences between parts of the project

Why ?

We are dealing with specific rules of different IPS/IDS, and we need to find a common basis to discharge analyst from the burden of knowing all the details of multiple IPS/IDS. A simple format, like Sigma, will allow all analysts to easily craft their own rules, which can be converted then on the IDS/IPS format of their choice. We want this format to be extensive, as the network rules can be fine tuned to be more efficient following each IPS/IDS specificity.

Philosophy

We don't want to be exhaustive and fully compliant with one format or another, our objective is to conceptualize network rules and remove useless complexities from analysts.

We will first focus on suricata and snort formats.

Get Started

Watch the format specification

Go to the current issues i am struggling with on current thinking

Want a taste ?

I deployed a web app to test the format here nyx.alpinedev.fr.

A baby script is also available on pypi :

pip install pynyx
nyx your_rule.yaml

You can check that the rule is suricata validated by copying your rule to a file and running :

./scripts/test_alert_suricata.sh ./tests/test.rules # replace here with your file with your suricata alert inside