Other sources to convert/bridge (OWASP)

[drzraf]

Other free sources from suricata IDS:

• oisf/trafficid https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
• sslbl/ja3-fingerprints https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules
• et/open https://rules.emergingthreats.net/open/suricata-%(version)s/emerging.rules.tar.gz
• ptresearch/attackdetection https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
• sslbl/ssl-fp-blacklist https://sslbl.abuse.ch/blacklist/sslblacklist.rules
• tgreen/hunting https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
• etnetera/aggressive https://security.etnetera.cz/feeds/etn_aggressive.rules
• https://github.com/seanlinmt/suricata/tree/master/files/rules
• https://urlhaus.abuse.ch/downloads/urlhaus.tar.gz

WAF:

• https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.3/dev/rules / https://www.modsecurity.org/rules.html

The later contains things XSS/SQL injection like union select or (\|\| || OR || AND) 1==1 .... and many more which are missing from the current list (but less CMS-specific rules).

Don't you think that supporting/converting rules from owasp-modsecurity-crs would be a nicer long-term strategy. That way new rules provided there could automatically be used by fail2ban?