1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
package IDS::Ruleset;
# This file contains the supported ruleset providers.
#
# Each one is defined as a hash in the main hash.
# It's name acts as handle/key and the key/value pair acts as data part.
# So the structure is like the following:
#
# handle => {
# summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
# website => The website of the ruleset provider.
# tr_string => The translation string which is used by the WUI and part of the language files.
# requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
# dl_url => The download URL to grab the ruleset.
# dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
# },
# Hash which contains the supported ruleset providers.
our %Providers = (
# Ruleset for registered sourcefire users.
registered => {
summary => "Talos VRT rules for registered users",
website => "https://www.snort.org",
tr_string => "registered user rules",
requires_subscription => "True",
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
dl_type => "archive",
},
# Ruleset for registered sourcefire users with a valid subsription.
subscripted => {
summary => "Talos VRT rules with subscription",
website => "https://www.snort.org",
tr_string => "subscripted user rules",
requires_subscription => "True",
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
dl_type => "archive",
},
# Community rules from sourcefire.
community => {
summary => "Snort/VRT GPLv2 Community Rules",
website => "https://www.snort.org",
tr_string => "community rules",
requires_subscription => "False",
dl_url => "https://www.snort.org/rules/community",
dl_type => "archive",
},
# Emerging threads community rules.
emerging => {
summary => "Emergingthreats.net Community Rules",
website => "https://emergingthreats.net/",
tr_string => "emerging rules",
requires_subscription => "False",
dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
dl_type => "archive",
},
# Emerging threads Pro rules.
emerging_pro => {
summary => "Emergingthreats.net Pro Rules",
website => "https://emergingthreats.net/",
tr_string => "emerging pro rules",
requires_subscription => "True",
dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
dl_type => "archive",
},
# Abuse.ch SSLBL Blacklist rules.
sslbl_blacklist => {
summary => "Abuse.ch SSLBL Blacklist Rules",
website => "https://sslbl.abuse.ch/",
tr_string => "sslbl blacklist rules",
requires_subscription => "False",
dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
dl_type => "plain",
},
# Etnetera Aggressive Blacklist.
etnetera_aggressive => {
summary => "Etnetera Aggressive Blacklist Rules",
website => "https://security.etnetera.cz/",
tr_string => "etnetera aggressive blacklist rules",
requires_subscription => "False",
dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
dl_type => "plain",
},
# OISF Traffic ID rules.
oisf_trafficid => {
summary => "OISF Traffic ID Rules",
website => "https://www.openinfosecfoundation.org/",
tr_string => "oisf traffic id rules",
requires_subscription => "False",
dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
dl_type => "plain",
},
# Positive Technologies Attack Detection Team rules.
attack_detection => {
summary => "PT Attack Detection Team Rules",
website => "https://github.com/ptresearch/AttackDetection",
tr_string => "attack detection team rules",
requires_subscription => "False",
dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
dl_type => "archive",
},
# Secureworks Security rules.
secureworks_security => {
summary => "Secureworks Security Ruleset",
website => "https://www.secureworks.com",
tr_string => "secureworks security ruleset",
requires_subscription => "True",
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
dl_type => "archive",
},
# Secureworks Malware rules.
secureworks_malware => {
summary => "Secureworks Malware Ruleset",
website => "https://www.secureworks.com",
tr_string => "secureworks malware ruleset",
requires_subscription => "True",
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
dl_type => "archive",
},
# Secureworks Enhanced rules.
secureworks_enhanced => {
summary => "Secureworks Enhanced Ruleset",
website => "https://www.secureworks.com",
tr_string => "secureworks enhanced ruleset",
requires_subscription => "True",
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
dl_type => "archive",
},
# Travis B. Green hunting rules.
tgreen => {
summary => "Travis Green - Hunting rules",
website => "https://github.com/travisbgreen/hunting-rules",
tr_string => "travis green hunting rules",
requires_subscription => "False",
dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
dl_type => "plain",
},
);
|