mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
b77b41a579
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
150 lines
5.3 KiB
Plaintext
150 lines
5.3 KiB
Plaintext
package IDS::Ruleset;
|
|
|
|
# This file contains the supported ruleset providers.
|
|
#
|
|
# Each one is defined as a hash in the main hash.
|
|
# It's name acts as handle/key and the key/value pair acts as data part.
|
|
# So the structure is like the following:
|
|
#
|
|
# handle => {
|
|
# summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
|
|
# website => The website of the ruleset provider.
|
|
# tr_string => The translation string which is used by the WUI and part of the language files.
|
|
# requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
|
|
# dl_url => The download URL to grab the ruleset.
|
|
# dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
|
|
# },
|
|
|
|
# Hash which contains the supported ruleset providers.
|
|
our %Providers = (
|
|
# Ruleset for registered sourcefire users.
|
|
registered => {
|
|
summary => "Talos VRT rules for registered users",
|
|
website => "https://www.snort.org",
|
|
tr_string => "registered user rules",
|
|
requires_subscription => "True",
|
|
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Ruleset for registered sourcefire users with a valid subsription.
|
|
subscripted => {
|
|
summary => "Talos VRT rules with subscription",
|
|
website => "https://www.snort.org",
|
|
tr_string => "subscripted user rules",
|
|
requires_subscription => "True",
|
|
dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Community rules from sourcefire.
|
|
community => {
|
|
summary => "Snort/VRT GPLv2 Community Rules",
|
|
website => "https://www.snort.org",
|
|
tr_string => "community rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://www.snort.org/rules/community",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Emerging threads community rules.
|
|
emerging => {
|
|
summary => "Emergingthreats.net Community Rules",
|
|
website => "https://emergingthreats.net/",
|
|
tr_string => "emerging rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Emerging threads Pro rules.
|
|
emerging_pro => {
|
|
summary => "Emergingthreats.net Pro Rules",
|
|
website => "https://emergingthreats.net/",
|
|
tr_string => "emerging pro rules",
|
|
requires_subscription => "True",
|
|
dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Abuse.ch SSLBL Blacklist rules.
|
|
sslbl_blacklist => {
|
|
summary => "Abuse.ch SSLBL Blacklist Rules",
|
|
website => "https://sslbl.abuse.ch/",
|
|
tr_string => "sslbl blacklist rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
|
|
dl_type => "plain",
|
|
},
|
|
|
|
# Etnetera Aggressive Blacklist.
|
|
etnetera_aggressive => {
|
|
summary => "Etnetera Aggressive Blacklist Rules",
|
|
website => "https://security.etnetera.cz/",
|
|
tr_string => "etnetera aggressive blacklist rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
|
|
dl_type => "plain",
|
|
},
|
|
|
|
# OISF Traffic ID rules.
|
|
oisf_trafficid => {
|
|
summary => "OISF Traffic ID Rules",
|
|
website => "https://www.openinfosecfoundation.org/",
|
|
tr_string => "oisf traffic id rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
|
|
dl_type => "plain",
|
|
},
|
|
|
|
# Positive Technologies Attack Detection Team rules.
|
|
attack_detection => {
|
|
summary => "PT Attack Detection Team Rules",
|
|
website => "https://github.com/ptresearch/AttackDetection",
|
|
tr_string => "attack detection team rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Secureworks Security rules.
|
|
secureworks_security => {
|
|
summary => "Secureworks Security Ruleset",
|
|
website => "https://www.secureworks.com",
|
|
tr_string => "secureworks security ruleset",
|
|
requires_subscription => "True",
|
|
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Secureworks Malware rules.
|
|
secureworks_malware => {
|
|
summary => "Secureworks Malware Ruleset",
|
|
website => "https://www.secureworks.com",
|
|
tr_string => "secureworks malware ruleset",
|
|
requires_subscription => "True",
|
|
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Secureworks Enhanced rules.
|
|
secureworks_enhanced => {
|
|
summary => "Secureworks Enhanced Ruleset",
|
|
website => "https://www.secureworks.com",
|
|
tr_string => "secureworks enhanced ruleset",
|
|
requires_subscription => "True",
|
|
dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
|
|
dl_type => "archive",
|
|
},
|
|
|
|
# Travis B. Green hunting rules.
|
|
tgreen => {
|
|
summary => "Travis Green - Hunting rules",
|
|
website => "https://github.com/travisbgreen/hunting-rules",
|
|
tr_string => "travis green hunting rules",
|
|
requires_subscription => "False",
|
|
dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
|
|
dl_type => "plain",
|
|
},
|
|
);
|