forked from OISF/suricata-intel-index
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathindex.yaml
150 lines (135 loc) · 6.3 KB
/
index.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# This is a version 1 formatted index.
version: 1
sources:
et/open:
summary: Emerging Threats Open Ruleset
description: |
Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats
vendor: Proofpoint
license: MIT
url: https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
et/pro:
summary: Emerging Threats Pro Ruleset
description: |
Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats
vendor: Proofpoint
license: Commercial
url: https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz
subscribe-url: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
parameters:
secret-code:
prompt: Emerging Threats Pro access code
replaces:
- et/open
checksum: false
oisf/trafficid:
summary: Suricata Traffic ID ruleset
vendor: OISF
license: MIT
url: https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
support-url: https://redmine.openinfosecfoundation.org/
min-version: 4.0.0
checksum: false
ptresearch/attackdetection:
summary: Positive Technologies Attack Detection Team ruleset
description: |
The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers' TTPs, so we develop Suricata rules for detecting all sorts of such activities.
vendor: Positive Technologies
license: Custom
license-url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE
url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
obsolete: no longer exists
scwx/enhanced:
summary: Secureworks suricata-enhanced ruleset
description: |
Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/).
vendor: Secureworks
license: Commercial
url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz
parameters:
secret-code:
prompt: Secureworks Threat Intelligence Authentication Token
subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
min-version: 3.0.0
scwx/malware:
summary: Secureworks suricata-malware ruleset
description: |
High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team.
vendor: Secureworks
license: Commercial
url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz
parameters:
secret-code:
prompt: Secureworks Threat Intelligence Authentication Token
subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
min-version: 3.0.0
scwx/security:
summary: Secureworks suricata-security ruleset
description: |
Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.
vendor: Secureworks
license: Commercial
url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz
parameters:
secret-code:
prompt: Secureworks Threat Intelligence Authentication Token
subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
min-version: 3.0.0
sslbl/ssl-fp-blacklist:
summary: Abuse.ch SSL Blacklist
description: |
The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.
vendor: Abuse.ch
license: Non-Commercial
url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
checksum: false
sslbl/ja3-fingerprints:
summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
description: |
If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.
vendor: Abuse.ch
license: Non-Commercial
url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules
min-version: 4.1.0
checksum: false
etnetera/aggressive:
summary: Etnetera aggressive IP blacklist
vendor: Etnetera a.s.
license: MIT
url: https://security.etnetera.cz/feeds/etn_aggressive.rules
min-version: 4.0.0
checksum: false
tgreen/hunting:
summary: Threat hunting rules
description: |
Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.
vendor: tgreen
license: GPLv3
url: https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
min-version: 4.1.0
checksum: false
malsilo/win-malware:
summary: Commodity malware rules
description: |
TCP/UDP, DNS and HTTP Windows threats artifacts observed at runtime.
vendor: malsilo
license: MIT
url: https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz
min-version: 4.1.0
homepage: https://raw-data.gitlab.io/post/malsilo_2.1/
checksum: true
stamus/lateral:
summary: Lateral movement rules
description: |
Suricata ruleset specifically focused on detecting lateral
movement in Microsoft Windows environments by Stamus Networks
vendor: Stamus Networks
min-version: 6.0.6
license: GPL-3.0-only
support-url: https://discord.com/channels/911231224448712714/911238451842666546
url: https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz
versions:
suricata:
recommended: 7.0.1
"6.0": 6.0.14
"7.0": 7.0.1