index.yaml

# This is a version 1 formatted index.
version: 1

sources:

  et/open:
    summary: Emerging Threats Open Ruleset
    description: |
      Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats
    vendor: Proofpoint
    license: MIT
    url: https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz

  et/pro:
    summary: Emerging Threats Pro Ruleset
    description: |
      Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats
    vendor: Proofpoint
    license: Commercial
    url: https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz
    subscribe-url: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
    parameters:
      secret-code:
        prompt: Emerging Threats Pro access code
    replaces:
      - et/open
    checksum: false

  oisf/trafficid:
    summary: Suricata Traffic ID ruleset
    vendor: OISF
    license: MIT
    url: https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
    support-url: https://redmine.openinfosecfoundation.org/
    min-version: 4.0.0
    checksum: false

  ptresearch/attackdetection:
    summary: Positive Technologies Attack Detection Team ruleset
    description: |
      The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers' TTPs, so we develop Suricata rules for detecting all sorts of such activities.
    vendor: Positive Technologies
    license: Custom
    license-url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE
    url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
    obsolete: no longer exists

  scwx/enhanced:
    summary: Secureworks suricata-enhanced ruleset
    description: |
      Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.  This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/).
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  scwx/malware:
    summary: Secureworks suricata-malware ruleset
    description: |
      High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team.
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  scwx/security:
    summary: Secureworks suricata-security ruleset
    description: |
      Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  abuse.ch/sslbl-blacklist:
    summary: Abuse.ch SSL Blacklist
    description: |
      The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal
      of detecting malicious SSL connections, by identifying and
      blacklisting SSL certificates used by botnet C&C servers. In
      addition, SSLBL identifies JA3 fingerprints that helps you to
      detect & block malware botnet C&C communication on the TCP
      layer.
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
    checksum: false
    replaces:
      - sslbl/ssl-fp-blacklist

  # Deprecated in favor of abuse.ch/sslbl-blacklist.
  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    description: |
      The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal
      of detecting malicious SSL connections, by identifying and
      blacklisting SSL certificates used by botnet C&C servers. In
      addition, SSLBL identifies JA3 fingerprints that helps you to
      detect & block malware botnet C&C communication on the TCP
      layer.
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
    checksum: false
    deprecated: Renamed to abuse.ch/sslbl-blacklist

  abuse.ch/sslbl-ja3:
    summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
    description: |
      If you are running Suricata, you can use the SSLBL's Suricata
      JA3 fingerprint ruleset to detect and/or block malicious SSL
      connections in your network based on the JA3 fingerprint. Please
      note that your need Suricata 4.1.0 or newer in order to use the
      JA3 fingerprint ruleset.
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz
    min-version: 4.1.0
    checksum: false
    replaces:
      - sslbl/ja3-fingerprints

  # Deprecated in favor of abuse.ch/sslbl-ja3
  sslbl/ja3-fingerprints:
    summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
    description: |
      If you are running Suricata, you can use the SSLBL's Suricata
      JA3 fingerprint ruleset to detect and/or block malicious SSL
      connections in your network based on the JA3 fingerprint. Please
      note that your need Suricata 4.1.0 or newer in order to use the
      JA3 fingerprint ruleset.
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz
    min-version: 4.1.0
    checksum: false
    deprecated: Renamed to abuse.ch/sslbl-ja3

  abuse.ch/sslbl-c2:
    summary: Abuse.ch Suricata Botnet C2 IP Ruleset
    description: |
      This ruleset contains all botnet Command&Control servers (C&Cs)
      identified by SSLBL to be associated with a blacklisted SSL
      certificate.
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://sslbl.abuse.ch/blacklist/sslipblacklist.tar.gz
    checksum: false

  abuse.ch/feodotracker:
    summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
    description: |
      The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by
      Feodo Tracker and can be used for both, Suricata and Snort open
      source IDS/IPS. If you are running Suricata or Snort, you can
      use this ruleset to detect and/or block network connections
      towards hostline servers (IP address:port combination).
    vendor: Abuse.ch
    license: CC0-1.0
    url: https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz
    checksum: false

  abuse.ch/urlhaus:
    summary: Abuse.ch URLhaus Suricata Rules
    description: |
      URLhaus is a project from abuse.ch with the goal of sharing
      malicious URLs that are being used for malware distribution.
    vendor: abuse.ch
    url: https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz
    license: CC0-1.0
    checksum: false

  etnetera/aggressive:
    summary: Etnetera aggressive IP blacklist
    vendor: Etnetera a.s.
    license: MIT
    url: https://security.etnetera.cz/feeds/etn_aggressive.rules
    min-version: 4.0.0
    checksum: false

  tgreen/hunting:
    summary: Threat hunting rules
    description: |
      Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.
    vendor: tgreen
    license: GPLv3
    url: https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz
    min-version: 4.1.0
    checksum: false

  malsilo/win-malware:
    summary: Commodity malware rules
    description: |
      TCP/UDP, DNS and HTTP Windows threats artifacts observed at runtime.
    vendor: malsilo
    license: MIT
    url: https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz
    min-version: 4.1.0
    homepage: https://raw-data.gitlab.io/post/malsilo_2.1/
    checksum: true

  stamus/lateral:
    summary: Lateral movement rules
    description: |
      Suricata ruleset specifically focused on detecting lateral
      movement in Microsoft Windows environments by Stamus Networks
    vendor: Stamus Networks
    min-version: 6.0.6
    license: GPL-3.0-only
    support-url: https://discord.com/channels/911231224448712714/911238451842666546
    url: https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz

  stamus/nrd-30-open:
    summary: Newly Registered Domains Open only - 30 day list, complete
    description: |
      Newly Registered Domains list (last 30 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-30.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  stamus/nrd-14-open:
    summary: Newly Registered Domains Open only - 14 day list, complete
    description: |
      Newly Registered Domains list (last 14 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-14.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  stamus/nrd-entropy-30-open:
    summary: Newly Registered Domains Open only - 30 day list, high entropy
    description: |
      Suspicious Newly Registered Domains list with high entropy (last 30 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-30.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  stamus/nrd-entropy-14-open:
    summary: Newly Registered Domains Open only - 14 day list, high entropy
    description: |
      Suspicious Newly Registered Domains list with high entropy (last 14 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-14.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  stamus/nrd-phishing-30-open:
    summary: Newly Registered Domains Open only - 30 day list, phishing
    description: |
      Suspicious Newly Registered Domains Phishing list (last 30 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-30.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  stamus/nrd-phishing-14-open:
    summary: Newly Registered Domains Open only - 14 day list, phishing
    description: |
      Suspicious Newly Registered Domains Phishing list (last 14 days) to match on DNS, TLS and HTTP communication.
      Produced by Stamus Labs research team.
    vendor: Stamus Networks
    license: Commercial
    url: https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-14.tar.gz
    parameters:
      secret-code:
        prompt: Stamus Networks License code
    subscribe-url: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
    min-version: 6.0.0

  pawpatrules:
    summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
    description: |
      PAW Patrules ruleset permit to detect many events on
      network. Suspicious flow, malicious tool, unsuported and
      vulnerable system, known threat actors with various IOCs,
      lateral movement, bad practice, shadow IT... Rules are
      frequently updated.
    homepage: https://pawpatrules.fr/
    vendor: pawpatrules
    min-version: 7.0.3
    url: https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz
    checksum: false
    license: CC-BY-SA-4.0

  ptrules/open:
    summary: Positive Technologies Open Ruleset
    description: |
      PT Rules, an open-source project focused on enhancing network security through proactive threat detection. As the PT Expert Security Center attack detection team, we are a dedicated group of cybersecurity experts committed to improve network security through open-source initiatives.
    vendor: Positive Technologies
    license: Custom
    license-url: https://rules.ptsecurity.com/files/LICENSE.txt
    url: https://rules.ptsecurity.com/files/ptopen.rules.tar.gz
    min-version: 5.0.0
    homepage: https://rules.ptsecurity.com

  aleksibovellan/nmap:
    summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
    description: |
      These detection rules work by looking for specific NMAP
      packet window sizes, flags, port numbers, and known NMAP
      timing intervals.
    homepage: https://github.com/aleksibovellan/opnsense-suricata-nmaps
    vendor: aleksibovellan
    min-version: 7.0.4
    url: https://raw.githubusercontent.com/aleksibovellan/opnsense-suricata-nmaps/main/local.rules
    checksum: false
    license: MIT

versions:
  suricata:
    recommended: 7.0.7
    "7.0": 7.0.7