Rulesets

The following rulesets are from the Suricata Ruleset Index. Those that are freely available are indexed here. If you have a ruleset you would like to have added to the index, please submit an issue or pull request.

Abuse.ch -- Abuse.ch Feodo Tracker Botnet C2 IP ruleset [abuse.ch/feodotracker]

Description

The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

Vendor

Abuse.ch

License

CC0-1.0

Abuse.ch -- Abuse.ch SSL Blacklist [abuse.ch/sslbl-blacklist]

Description

The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.

Vendor

Abuse.ch

License

CC0-1.0

Abuse.ch -- Abuse.ch Suricata Botnet C2 IP Ruleset [abuse.ch/sslbl-c2]

Description

This ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate.

Vendor

Abuse.ch

License

CC0-1.0

Abuse.ch -- Abuse.ch Suricata JA3 Fingerprint Ruleset [abuse.ch/sslbl-ja3]

Description

If you are running Suricata, you can use the SSLBL's Suricata JA3 fingerprint ruleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.

Vendor

Abuse.ch

License

CC0-1.0

abuse.ch -- Abuse.ch URLhaus Suricata Rules [abuse.ch/urlhaus]

Description

URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.

Vendor

abuse.ch

License

CC0-1.0

aleksibovellan -- Suricata IDS/IPS Detection Rules Against NMAP Scans [aleksibovellan/nmap]

Description

These detection rules work by looking for specific NMAP packet window sizes, flags, port numbers, and known NMAP timing intervals.

Vendor

aleksibovellan

License

MIT

Etnetera a.s. -- Etnetera aggressive IP blacklist [etnetera/aggressive]

Vendor

Etnetera a.s.

License

MIT

Proofpoint -- Emerging Threats Open Ruleset [et/open]

Description

Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats

Vendor

Proofpoint

License

MIT

Proofpoint -- Emerging Threats Pro Ruleset [et/pro]

Description

Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats

Vendor

Proofpoint

License

Commercial

malsilo -- Commodity malware rules [malsilo/win-malware]

Description

TCP/UDP, DNS and HTTP Windows threats artifacts observed at runtime.

Vendor

malsilo

License

MIT

OISF -- Suricata Traffic ID ruleset [oisf/trafficid]

Vendor

OISF

License

MIT

pawpatrules -- PAW Patrules is a collection of rules for IDPS / NSM Suricata engine [pawpatrules]

Description

PAW Patrules ruleset permit to detect many events on network. Suspicious flow, malicious tool, unsuported and vulnerable system, known threat actors with various IOCs, lateral movement, bad practice, shadow IT... Rules are frequently updated.

Vendor

pawpatrules

License

CC-BY-SA-4.0

Positive Technologies -- Positive Technologies Attack Detection Team ruleset [ptresearch/attackdetection]

Description

The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers' TTPs, so we develop Suricata rules for detecting all sorts of such activities.

Vendor

Positive Technologies

License

Custom

Positive Technologies -- Positive Technologies Open Ruleset [ptrules/open]

Description

PT Rules, an open-source project focused on enhancing network security through proactive threat detection. As the PT Expert Security Center attack detection team, we are a dedicated group of cybersecurity experts committed to improve network security through open-source initiatives.

Vendor

Positive Technologies

License

Custom

Secureworks -- Secureworks suricata-enhanced ruleset [scwx/enhanced]

Description

Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/).

Vendor

Secureworks

License

Commercial

Secureworks -- Secureworks suricata-malware ruleset [scwx/malware]

Description

High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team.

Vendor

Secureworks

License

Commercial

Secureworks -- Secureworks suricata-security ruleset [scwx/security]

Description

Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.

Vendor

Secureworks

License

Commercial

Abuse.ch -- Abuse.ch Suricata JA3 Fingerprint Ruleset [sslbl/ja3-fingerprints]

Description

Vendor

Abuse.ch

License

CC0-1.0

Abuse.ch -- Abuse.ch SSL Blacklist [sslbl/ssl-fp-blacklist]

Description

Vendor

Abuse.ch

License

CC0-1.0

Stamus Networks -- Lateral movement rules [stamus/lateral]

Description

Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments by Stamus Networks

Vendor

Stamus Networks

License

GPL-3.0-only

Stamus Networks -- Newly Registered Domains Open only - 14 day list, complete [stamus/nrd-14-open]

Description

Newly Registered Domains list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

Stamus Networks -- Newly Registered Domains Open only - 30 day list, complete [stamus/nrd-30-open]

Description

Newly Registered Domains list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

Stamus Networks -- Newly Registered Domains Open only - 14 day list, high entropy [stamus/nrd-entropy-14-open]

Description

Suspicious Newly Registered Domains list with high entropy (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

Stamus Networks -- Newly Registered Domains Open only - 30 day list, high entropy [stamus/nrd-entropy-30-open]

Description

Suspicious Newly Registered Domains list with high entropy (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

Stamus Networks -- Newly Registered Domains Open only - 14 day list, phishing [stamus/nrd-phishing-14-open]

Description

Suspicious Newly Registered Domains Phishing list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

Stamus Networks -- Newly Registered Domains Open only - 30 day list, phishing [stamus/nrd-phishing-30-open]

Description

Suspicious Newly Registered Domains Phishing list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Vendor

Stamus Networks

License

Commercial

tgreen -- Threat hunting rules [tgreen/hunting]

Description

Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.

Vendor

tgreen

License

GPLv3