# This is a version 1 formatted index. version: 1 sources: et/open: summary: Emerging Threats Open Ruleset description: | Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats vendor: Proofpoint license: MIT url: https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz et/pro: summary: Emerging Threats Pro Ruleset description: | Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats vendor: Proofpoint license: Commercial url: https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz subscribe-url: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset parameters: secret-code: prompt: Emerging Threats Pro access code replaces: - et/open checksum: false oisf/trafficid: summary: Suricata Traffic ID ruleset vendor: OISF license: MIT url: https://openinfosecfoundation.org/rules/trafficid/trafficid.rules support-url: https://redmine.openinfosecfoundation.org/ min-version: 4.0.0 checksum: false ptresearch/attackdetection: summary: Positive Technologies Attack Detection Team ruleset description: | The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers' TTPs, so we develop Suricata rules for detecting all sorts of such activities. vendor: Positive Technologies license: Custom license-url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz obsolete: no longer exists scwx/enhanced: summary: Secureworks suricata-enhanced ruleset description: | Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/). vendor: Secureworks license: Commercial url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz parameters: secret-code: prompt: Secureworks Threat Intelligence Authentication Token subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) min-version: 3.0.0 scwx/malware: summary: Secureworks suricata-malware ruleset description: | High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team. vendor: Secureworks license: Commercial url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz parameters: secret-code: prompt: Secureworks Threat Intelligence Authentication Token subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) min-version: 3.0.0 scwx/security: summary: Secureworks suricata-security ruleset description: | Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. vendor: Secureworks license: Commercial url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz parameters: secret-code: prompt: Secureworks Threat Intelligence Authentication Token subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) min-version: 3.0.0 abuse.ch/sslbl-blacklist: summary: Abuse.ch SSL Blacklist description: | The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer. vendor: Abuse.ch license: CC0-1.0 url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz checksum: false replaces: sslbl/ssl-fp-blacklist # Deprecated in favor of abuse.ch/sslbl-blacklist. sslbl/ssl-fp-blacklist: summary: Abuse.ch SSL Blacklist description: | The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer. vendor: Abuse.ch license: CC0-1.0 url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz checksum: false deprecated: Renamed to abuse.ch/sslbl-blacklist abuse.ch/sslbl-ja3: summary: Abuse.ch Suricata JA3 Fingerprint Ruleset description: | If you are running Suricata, you can use the SSLBL's Suricata JA3 fingerprint ruleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset. vendor: Abuse.ch license: CC0-1.0 url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz min-version: 4.1.0 checksum: false replaces: sslbl/ja3-fingerprints # Deprecated in favor of abuse.ch/sslbl-ja3 sslbl/ja3-fingerprints: summary: Abuse.ch Suricata JA3 Fingerprint Ruleset description: | If you are running Suricata, you can use the SSLBL's Suricata JA3 fingerprint ruleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset. vendor: Abuse.ch license: CC0-1.0 url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz min-version: 4.1.0 checksum: false deprecated: Renamed to abuse.ch/sslbl-ja3 abuse.ch/sslbl-c2: summary: Abuse.ch Suricata Botnet C2 IP Ruleset description: | This ruleset contains all botnet Command&Control servers (C&Cs) identified by SSLBL to be associated with a blacklisted SSL certificate. vendor: Abuse.ch license: CC0-1.0 url: https://sslbl.abuse.ch/blacklist/sslipblacklist.tar.gz checksum: false abuse.ch/feodotracker: summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset description: | The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination). vendor: Abuse.ch license: CC0-1.0 url: https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz checksum: false abuse.ch/urlhaus: summary: Abuse.ch URLhaus Suricata Rules description: | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. vendor: abuse.ch url: https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz license: CC0-1.0 checksum: false etnetera/aggressive: summary: Etnetera aggressive IP blacklist vendor: Etnetera a.s. license: MIT url: https://security.etnetera.cz/feeds/etn_aggressive.rules min-version: 4.0.0 checksum: false tgreen/hunting: summary: Threat hunting rules description: | Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance. vendor: tgreen license: GPLv3 url: https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz min-version: 4.1.0 checksum: false malsilo/win-malware: summary: Commodity malware rules description: | TCP/UDP, DNS and HTTP Windows threats artifacts observed at runtime. vendor: malsilo license: MIT url: https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz min-version: 4.1.0 homepage: https://raw-data.gitlab.io/post/malsilo_2.1/ checksum: true stamus/lateral: summary: Lateral movement rules description: | Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments by Stamus Networks vendor: Stamus Networks min-version: 6.0.6 license: GPL-3.0-only support-url: https://discord.com/channels/911231224448712714/911238451842666546 url: https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz stamus/nrd-30-open: summary: Newly Registered Domains Open only - 30 day list, complete description: | Newly Registered Domains list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-30.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 stamus/nrd-14-open: summary: Newly Registered Domains Open only - 14 day list, complete description: | Newly Registered Domains list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-14.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 stamus/nrd-entropy-30-open: summary: Newly Registered Domains Open only - 30 day list, high entropy description: | Suspicious Newly Registered Domains list with high entropy (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-30.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 stamus/nrd-entropy-14-open: summary: Newly Registered Domains Open only - 14 day list, high entropy description: | Suspicious Newly Registered Domains list with high entropy (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-14.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 stamus/nrd-phishing-30-open: summary: Newly Registered Domains Open only - 30 day list, phishing description: | Suspicious Newly Registered Domains Phishing list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-30.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 stamus/nrd-phishing-14-open: summary: Newly Registered Domains Open only - 14 day list, phishing description: | Suspicious Newly Registered Domains Phishing list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team. vendor: Stamus Networks license: Commercial url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-14.tar.gz parameters: secret-code: prompt: Stamus Networks License code subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed min-version: 6.0.0 pawpatrules: summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine description: | PAW Patrules ruleset permit to detect many events on network. Suspicious flow, malicious tool, unsuported and vulnerable system, known threat actors with various IOCs, lateral movement, bad practice, shadow IT... Rules are frequently updated. homepage: https://pawpatrules.fr/ vendor: pawpatrules min-version: 7.0.3 url: https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz checksum: false license: CC-BY-SA-4.0 versions: suricata: recommended: 7.0.6 "6.0": 6.0.20 "7.0": 7.0.6