Rulesets

The following rulesets are tracked by EveBox Rules. Many originated from the Suricata Ruleset Index. Those that are freely available are indexed here. If you have a ruleset you would like to suggest for inclusion, please contact the EveBox Rules maintainer.

Abuse.ch -- Abuse.ch Feodo Tracker Botnet C2 IP ruleset [abuse.ch/feodotracker]
Description
The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).
Vendor
Abuse.ch
License
CC0-1.0
URL
https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz
Abuse.ch -- Abuse.ch SSL Blacklist [abuse.ch/sslbl-blacklist]
Description
The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.
Vendor
Abuse.ch
License
CC0-1.0
URL
https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
Abuse.ch -- Abuse.ch Suricata JA3 Fingerprint Ruleset [abuse.ch/sslbl-ja3]
Description
If you are running Suricata, you can use the SSLBL's Suricata JA3 fingerprint ruleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.
Vendor
Abuse.ch
License
CC0-1.0
URL
https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz
abuse.ch -- Abuse.ch URLhaus Suricata Rules [abuse.ch/urlhaus]
Description
URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
Vendor
abuse.ch
License
CC0-1.0
URL
https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz
aleksibovellan -- Suricata IDS/IPS Detection Rules Against NMAP Scans [aleksibovellan/nmap]
Description
These detection rules work by looking for specific NMAP packet window sizes, flags, port numbers, and known NMAP timing intervals.
Vendor
aleksibovellan
License
MIT
URL
https://raw.githubusercontent.com/aleksibovellan/opnsense-suricata-nmaps/main/local.rules
Etnetera a.s. -- Etnetera aggressive IP blacklist [etnetera/aggressive]
Vendor
Etnetera a.s.
License
MIT
URL
https://security.etnetera.cz/feeds/etn_aggressive.rules
Proofpoint -- Emerging Threats Open Ruleset [et/open]
Description
Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats
Vendor
Proofpoint
License
MIT
URL
https://rules.emergingthreats.net/open/suricata-7.0/emerging.rules.tar.gz
IPFire -- IPFire DBL [ipfire/dbl]
Description
IPFire DBL is a comprehensive, community-maintained domain blocklist that protects your network from malware, phishing, unwanted content, and emerging threats
Vendor
IPFire
License
CC-BY-SA-4.0
URL
https://dbl.ipfire.org/lists/suricata.tar.gz
julioliraup -- Antiphishing for protection against phishing attacks [julioliraup/antiphishing]
Description
This ruleset is built using malicious URLs and domains involved in phishing attacks, utilizing community APIs like Phishstats and Openphish. Hourly updates with cumulative SID
Vendor
julioliraup
License
GPL-3.0
URL
https://raw.githubusercontent.com/julioliraup/Antiphishing/refs/heads/main/antiphishing.tar.gz
OISF -- Suricata Traffic ID ruleset [oisf/trafficid]
Vendor
OISF
License
MIT
URL
https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
pawpatrules -- PAW Patrules is a collection of rules for IDPS / NSM Suricata engine [pawpatrules]
Description
PAW Patrules ruleset permit to detect many events on network. Suspicious flow, malicious tool, unsuported and vulnerable system, known threat actors with various IOCs, lateral movement, bad practice, shadow IT... Rules are frequently updated.
Vendor
pawpatrules
License
CC-BY-SA-4.0
URL
https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz
Positive Technologies -- Positive Technologies Open Ruleset [ptrules/open]
Description
PT Rules, an open-source project focused on enhancing network security through proactive threat detection. As the PT Expert Security Center attack detection team, we are a dedicated group of cybersecurity experts committed to improve network security through open-source initiatives.
Vendor
Positive Technologies
License
Custom
URL
https://rules.ptsecurity.com/files/ptopen.rules.tar.gz
Stamus Networks -- Lateral movement rules [stamus/lateral]
Description
Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments by Stamus Networks
Vendor
Stamus Networks
License
GPL-3.0-only
URL
https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz
tgreen -- Threat hunting rules [tgreen/hunting]
Description
Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.
Vendor
tgreen
License
GPLv3
URL
https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz