webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-22 17:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
90ea6fac35ac12a6fea9163ac71da166370856fe
bpfire/config/suricata/ruleset-sources
Adolf Belka 90e40b1948 ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox 
- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
   The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
   ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
   error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
   rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
   rules are available but the plain version is being regularly updated while the archive
   version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
   mentioned by Stefan removing PT Attack means it is not available in the list of
   providers but the provider stays in the providers table but with the line shown in red.
   I will update the wiki to mention the red highlight and what it means.

Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2024-02-16 12:29:15 +00:00

120 lines
4.2 KiB
Plaintext
Raw Blame History

package IDS::Ruleset;
# This file contains the supported ruleset providers.
#
# Each one is defined as a hash in the main hash.
# It's name acts as handle/key and the key/value pair acts as data part.
# So the structure is like the following:
#
# handle => {
# summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
# website => The website of the ruleset provider.
# tr_string => The translation string which is used by the WUI and part of the language files.
# requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
# dl_url => The download URL to grab the ruleset.
# dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
# },
# Hash which contains the supported ruleset providers.
our %Providers = (
# Ruleset for registered sourcefire users.
registered => {
summary => "Talos VRT rules for registered users",
website => "https://www.snort.org",
tr_string => "registered user rules",
requires_subscription => "True",
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
dl_type => "archive",
},
# Ruleset for registered sourcefire users with a valid subsription.
subscripted => {
summary => "Talos VRT rules with subscription",
website => "https://www.snort.org",
tr_string => "subscripted user rules",
requires_subscription => "True",
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
dl_type => "archive",
},
# Community rules from sourcefire.
community => {
summary => "Snort/VRT GPLv2 Community Rules",
website => "https://www.snort.org",
tr_string => "community rules",
requires_subscription => "False",
dl_url => "https://www.snort.org/downloads/community/community-rules.tar.gz",
dl_type => "archive",
},
# Emerging threads community rules.
emerging => {
summary => "Emergingthreats.net Community Rules",
website => "https://emergingthreats.net/",
tr_string => "emerging rules",
requires_subscription => "False",
dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
dl_type => "archive",
},
# Emerging threads Pro rules.
emerging_pro => {
summary => "Emergingthreats.net Pro Rules",
website => "https://emergingthreats.net/",
tr_string => "emerging pro rules",
requires_subscription => "True",
dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
dl_type => "archive",
},
# Abuse.ch SSLBL Blacklist rules.
sslbl_blacklist => {
summary => "Abuse.ch SSLBL Blacklist Rules",
website => "https://sslbl.abuse.ch/",
tr_string => "sslbl blacklist rules",
requires_subscription => "False",
dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
dl_type => "plain",
},
# Etnetera Aggressive Blacklist.
etnetera_aggressive => {
summary => "Etnetera Aggressive Blacklist Rules",
website => "https://security.etnetera.cz/",
tr_string => "etnetera aggressive blacklist rules",
requires_subscription => "False",
dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
dl_type => "plain",
},
# OISF Traffic ID rules.
oisf_trafficid => {
summary => "OISF Traffic ID Rules",
website => "https://www.openinfosecfoundation.org/",
tr_string => "oisf traffic id rules",
requires_subscription => "False",
dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
dl_type => "plain",
},
# ThreatFox
threatfox => {
summary => "ThreatFox Indicators Of Compromise Rules",
website => "https://threatfox.abuse.ch/",
tr_string => "threatfox rules",
requires_subscription => "False",
dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules",
dl_type => "plain",
},
# Travis B. Green hunting rules.
tgreen => {
summary => "Travis Green - Hunting rules",
website => "https://github.com/travisbgreen/hunting-rules",
tr_string => "travis green hunting rules",
requires_subscription => "False",
dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
dl_type => "plain",
},
);
Reference in New Issue View Git Blame Copy Permalink