Rule Index

Active ruleset sources

Suricata Rule Index

A concise list of active Suricata rulesets, their publishers, summaries, home pages, and subscription links where access is required.

Active Rulesets

25 active rulesets indexed

Abuse.ch Feodo Tracker Botnet C2 IP ruleset

The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

Publisher
Abuse.ch

Abuse.ch SSL Blacklist

The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.

Publisher
Abuse.ch

Abuse.ch Suricata JA3 Fingerprint Ruleset

If you are running Suricata, you can use the SSLBL's Suricata JA3 fingerprint ruleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.

Publisher
Abuse.ch

Abuse.ch URLhaus Suricata Rules

URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.

Publisher
abuse.ch

Antiphishing for protection against phishing attacks

This ruleset is built using malicious URLs and domains involved in phishing attacks, utilizing community APIs like Phishstats and Openphish. Hourly updates with cumulative SID

Publisher
julioliraup
Home page
Home page

Emerging Threats Open Ruleset

Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats

Publisher
Proofpoint
et/pro Subscription required

Emerging Threats Pro Ruleset

Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats

Publisher
Proofpoint
Subscribe

Etnetera aggressive IP blacklist

No additional summary provided.

Publisher
Etnetera a.s.

IPFire DBL

IPFire DBL is a comprehensive, community-maintained domain blocklist that protects your network from malware, phishing, unwanted content, and emerging threats

Publisher
IPFire
Home page
Home page

Lateral movement rules

Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments by Stamus Networks

Publisher
Stamus Networks
stamus/nrd-14-open Subscription required

Newly Registered Domains Open only - 14 day list, complete

Newly Registered Domains list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe
stamus/nrd-entropy-14-open Subscription required

Newly Registered Domains Open only - 14 day list, high entropy

Suspicious Newly Registered Domains list with high entropy (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe
stamus/nrd-phishing-14-open Subscription required

Newly Registered Domains Open only - 14 day list, phishing

Suspicious Newly Registered Domains Phishing list (last 14 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe
stamus/nrd-30-open Subscription required

Newly Registered Domains Open only - 30 day list, complete

Newly Registered Domains list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe
stamus/nrd-entropy-30-open Subscription required

Newly Registered Domains Open only - 30 day list, high entropy

Suspicious Newly Registered Domains list with high entropy (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe
stamus/nrd-phishing-30-open Subscription required

Newly Registered Domains Open only - 30 day list, phishing

Suspicious Newly Registered Domains Phishing list (last 30 days) to match on DNS, TLS and HTTP communication. Produced by Stamus Labs research team.

Publisher
Stamus Networks
Subscribe

PAW Patrules is a collection of rules for IDPS / NSM Suricata engine

PAW Patrules ruleset permit to detect many events on network. Suspicious flow, malicious tool, unsuported and vulnerable system, known threat actors with various IOCs, lateral movement, bad practice, shadow IT... Rules are frequently updated.

Publisher
pawpatrules
Home page
Home page

Positive Technologies Open Ruleset

PT Rules, an open-source project focused on enhancing network security through proactive threat detection. As the PT Expert Security Center attack detection team, we are a dedicated group of cybersecurity experts committed to improve network security through open-source initiatives.

Publisher
Positive Technologies
Home page
Home page
scwx/enhanced Subscription required

Secureworks suricata-enhanced ruleset

Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/).

Publisher
Secureworks
Subscribe
scwx/malware Subscription required

Secureworks suricata-malware ruleset

High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team.

Publisher
Secureworks
Subscribe
scwx/security Subscription required

Secureworks suricata-security ruleset

Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.

Publisher
Secureworks
Subscribe

Suricata IDS/IPS Detection Rules Against NMAP Scans

These detection rules work by looking for specific NMAP packet window sizes, flags, port numbers, and known NMAP timing intervals.

Publisher
aleksibovellan
Home page
Home page

Suricata Traffic ID ruleset

No additional summary provided.

Publisher
OISF

The Hunters Ledger threat-intelligence detection feed

Community Suricata ruleset derived from original malware and open-directory investigations published at the-hunters-ledger.com. Updated as new campaigns are analyzed.

Publisher
The Hunters Ledger
Home page
Home page

Threat hunting rules

Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.

Publisher
tgreen