suricata/update/data/index.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476

index = {   'sources': {   'et/open': {   'description': 'Proofpoint ET Open is a '
                                                 'timely and accurate rule set '
                                                 'for detecting and blocking '
                                                 'advanced threats\n',
                                  'license': 'MIT',
                                  'summary': 'Emerging Threats Open Ruleset',
                                  'url': 'https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz',
                                  'vendor': 'Proofpoint'},
                   'et/pro': {   'checksum': False,
                                 'description': 'Proofpoint ET Pro is a timely '
                                                'and accurate rule set for '
                                                'detecting and blocking '
                                                'advanced threats\n',
                                 'license': 'Commercial',
                                 'parameters': {   'secret-code': {   'prompt': 'Emerging '
                                                                                'Threats '
                                                                                'Pro '
                                                                                'access '
                                                                                'code'}},
                                 'replaces': ['et/open'],
                                 'subscribe-url': 'https://www.proofpoint.com/us/threat-insight/et-pro-ruleset',
                                 'summary': 'Emerging Threats Pro Ruleset',
                                 'url': 'https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz',
                                 'vendor': 'Proofpoint'},
                   'etnetera/aggressive': {   'checksum': False,
                                              'license': 'MIT',
                                              'min-version': '4.0.0',
                                              'summary': 'Etnetera aggressive '
                                                         'IP blacklist',
                                              'url': 'https://security.etnetera.cz/feeds/etn_aggressive.rules',
                                              'vendor': 'Etnetera a.s.'},
                   'malsilo/win-malware': {   'checksum': True,
                                              'description': 'TCP/UDP, DNS and '
                                                             'HTTP Windows '
                                                             'threats '
                                                             'artifacts '
                                                             'observed at '
                                                             'runtime.\n',
                                              'homepage': 'https://raw-data.gitlab.io/post/malsilo_2.1/',
                                              'license': 'MIT',
                                              'min-version': '4.1.0',
                                              'summary': 'Commodity malware '
                                                         'rules',
                                              'url': 'https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz',
                                              'vendor': 'malsilo'},
                   'oisf/trafficid': {   'checksum': False,
                                         'license': 'MIT',
                                         'min-version': '4.0.0',
                                         'summary': 'Suricata Traffic ID '
                                                    'ruleset',
                                         'support-url': 'https://redmine.openinfosecfoundation.org/',
                                         'url': 'https://openinfosecfoundation.org/rules/trafficid/trafficid.rules',
                                         'vendor': 'OISF'},
                   'pawpatrules': {   'checksum': False,
                                      'description': 'PAW Patrules ruleset '
                                                     'permit to detect many '
                                                     'events on\n'
                                                     'network. Suspicious '
                                                     'flow, malicious tool, '
                                                     'unsuported and\n'
                                                     'vulnerable system, known '
                                                     'threat actors with '
                                                     'various IOCs,\n'
                                                     'lateral movement, bad '
                                                     'practice, shadow IT... '
                                                     'Rules are\n'
                                                     'frequently updated.\n',
                                      'homepage': 'https://pawpatrules.fr/',
                                      'license': 'CC-BY-SA-4.0',
                                      'min-version': '6.0.0',
                                      'summary': 'PAW Patrules is a collection '
                                                 'of rules for IDPS / NSM '
                                                 'Suricata engine',
                                      'url': 'https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz',
                                      'vendor': 'pawpatrules'},
                   'ptresearch/attackdetection': {   'description': 'The '
                                                                    'Attack '
                                                                    'Detection '
                                                                    'Team '
                                                                    'searches '
                                                                    'for new '
                                                                    'vulnerabilities '
                                                                    'and '
                                                                    '0-days, '
                                                                    'reproduces '
                                                                    'it and '
                                                                    'creates '
                                                                    'PoC '
                                                                    'exploits '
                                                                    'to '
                                                                    'understand '
                                                                    'how these '
                                                                    'security '
                                                                    'flaws '
                                                                    'work and '
                                                                    'how '
                                                                    'related '
                                                                    'attacks '
                                                                    'can be '
                                                                    'detected '
                                                                    'on the '
                                                                    'network '
                                                                    'layer. '
                                                                    'Additionally, '
                                                                    'we are '
                                                                    'interested '
                                                                    'in '
                                                                    'malware '
                                                                    'and '
                                                                    "hackers' "
                                                                    'TTPs, so '
                                                                    'we '
                                                                    'develop '
                                                                    'Suricata '
                                                                    'rules for '
                                                                    'detecting '
                                                                    'all sorts '
                                                                    'of such '
                                                                    'activities.\n',
                                                     'license': 'Custom',
                                                     'license-url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE',
                                                     'obsolete': 'no longer '
                                                                 'exists',
                                                     'summary': 'Positive '
                                                                'Technologies '
                                                                'Attack '
                                                                'Detection '
                                                                'Team ruleset',
                                                     'url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz',
                                                     'vendor': 'Positive '
                                                               'Technologies'},
                   'scwx/enhanced': {   'description': 'Broad ruleset composed '
                                                       'of malware rules and '
                                                       'other security-related '
                                                       'countermeasures, and '
                                                       'curated by the '
                                                       'Secureworks Counter '
                                                       'Threat Unit research '
                                                       'team.  This ruleset '
                                                       'has been enhanced with '
                                                       'comprehensive and '
                                                       'fully '
                                                       'standard-compliant '
                                                       'BETTER metadata '
                                                       '(https://better-schema.readthedocs.io/).\n',
                                        'license': 'Commercial',
                                        'min-version': '3.0.0',
                                        'parameters': {   'secret-code': {   'prompt': 'Secureworks '
                                                                                       'Threat '
                                                                                       'Intelligence '
                                                                                       'Authentication '
                                                                                       'Token'}},
                                        'subscribe-url': 'https://www.secureworks.com/contact/ '
                                                         '(Please reference '
                                                         'CTU Countermeasures)',
                                        'summary': 'Secureworks '
                                                   'suricata-enhanced ruleset',
                                        'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz',
                                        'vendor': 'Secureworks'},
                   'scwx/malware': {   'description': 'High-fidelity, '
                                                      'high-priority ruleset '
                                                      'composed mainly of '
                                                      'malware-related '
                                                      'countermeasures and '
                                                      'curated by the '
                                                      'Secureworks Counter '
                                                      'Threat Unit research '
                                                      'team.\n',
                                       'license': 'Commercial',
                                       'min-version': '3.0.0',
                                       'parameters': {   'secret-code': {   'prompt': 'Secureworks '
                                                                                      'Threat '
                                                                                      'Intelligence '
                                                                                      'Authentication '
                                                                                      'Token'}},
                                       'subscribe-url': 'https://www.secureworks.com/contact/ '
                                                        '(Please reference CTU '
                                                        'Countermeasures)',
                                       'summary': 'Secureworks '
                                                  'suricata-malware ruleset',
                                       'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz',
                                       'vendor': 'Secureworks'},
                   'scwx/security': {   'description': 'Broad ruleset composed '
                                                       'of malware rules and '
                                                       'other security-related '
                                                       'countermeasures, and '
                                                       'curated by the '
                                                       'Secureworks Counter '
                                                       'Threat Unit research '
                                                       'team.\n',
                                        'license': 'Commercial',
                                        'min-version': '3.0.0',
                                        'parameters': {   'secret-code': {   'prompt': 'Secureworks '
                                                                                       'Threat '
                                                                                       'Intelligence '
                                                                                       'Authentication '
                                                                                       'Token'}},
                                        'subscribe-url': 'https://www.secureworks.com/contact/ '
                                                         '(Please reference '
                                                         'CTU Countermeasures)',
                                        'summary': 'Secureworks '
                                                   'suricata-security ruleset',
                                        'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz',
                                        'vendor': 'Secureworks'},
                   'sslbl/ja3-fingerprints': {   'checksum': False,
                                                 'description': 'If you are '
                                                                'running '
                                                                'Suricata, you '
                                                                'can use the '
                                                                "SSLBL's "
                                                                'Suricata JA3 '
                                                                'FingerprintRuleset '
                                                                'to detect '
                                                                'and/or block '
                                                                'malicious SSL '
                                                                'connections '
                                                                'in your '
                                                                'network based '
                                                                'on the JA3 '
                                                                'fingerprint. '
                                                                'Please note '
                                                                'that your '
                                                                'need Suricata '
                                                                '4.1.0 or '
                                                                'newer in '
                                                                'order to use '
                                                                'the JA3 '
                                                                'fingerprint '
                                                                'ruleset.\n',
                                                 'license': 'Non-Commercial',
                                                 'min-version': '4.1.0',
                                                 'summary': 'Abuse.ch Suricata '
                                                            'JA3 Fingerprint '
                                                            'Ruleset',
                                                 'url': 'https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules',
                                                 'vendor': 'Abuse.ch'},
                   'sslbl/ssl-fp-blacklist': {   'checksum': False,
                                                 'description': 'The SSL '
                                                                'Blacklist '
                                                                '(SSLBL) is a '
                                                                'project of '
                                                                'abuse.ch with '
                                                                'the goal of '
                                                                'detecting '
                                                                'malicious SSL '
                                                                'connections, '
                                                                'by '
                                                                'identifying '
                                                                'and '
                                                                'blacklisting '
                                                                'SSL '
                                                                'certificates '
                                                                'used by '
                                                                'botnet C&C '
                                                                'servers. In '
                                                                'addition, '
                                                                'SSLBL '
                                                                'identifies '
                                                                'JA3 '
                                                                'fingerprints '
                                                                'that helps '
                                                                'you to detect '
                                                                '& block '
                                                                'malware '
                                                                'botnet C&C '
                                                                'communication '
                                                                'on the TCP '
                                                                'layer.\n',
                                                 'license': 'Non-Commercial',
                                                 'summary': 'Abuse.ch SSL '
                                                            'Blacklist',
                                                 'url': 'https://sslbl.abuse.ch/blacklist/sslblacklist.rules',
                                                 'vendor': 'Abuse.ch'},
                   'stamus/lateral': {   'description': 'Suricata ruleset '
                                                        'specifically focused '
                                                        'on detecting lateral\n'
                                                        'movement in Microsoft '
                                                        'Windows environments '
                                                        'by Stamus Networks\n',
                                         'license': 'GPL-3.0-only',
                                         'min-version': '6.0.6',
                                         'summary': 'Lateral movement rules',
                                         'support-url': 'https://discord.com/channels/911231224448712714/911238451842666546',
                                         'url': 'https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz',
                                         'vendor': 'Stamus Networks'},
                   'stamus/nrd-14-open': {   'description': 'Newly Registered '
                                                            'Domains list '
                                                            '(last 14 days) to '
                                                            'match on DNS, TLS '
                                                            'and HTTP '
                                                            'communication.\n'
                                                            'Produced by '
                                                            'Stamus Labs '
                                                            'research team.\n',
                                             'license': 'Commercial',
                                             'min-version': '6.0.0',
                                             'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                            'Networks '
                                                                                            'License '
                                                                                            'code'}},
                                             'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                             'summary': 'Newly Registered '
                                                        'Domains Open only - '
                                                        '14 day list, complete',
                                             'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-14.tar.gz',
                                             'vendor': 'Stamus Networks'},
                   'stamus/nrd-30-open': {   'description': 'Newly Registered '
                                                            'Domains list '
                                                            '(last 30 days) to '
                                                            'match on DNS, TLS '
                                                            'and HTTP '
                                                            'communication.\n'
                                                            'Produced by '
                                                            'Stamus Labs '
                                                            'research team.\n',
                                             'license': 'Commercial',
                                             'min-version': '6.0.0',
                                             'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                            'Networks '
                                                                                            'License '
                                                                                            'code'}},
                                             'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                             'summary': 'Newly Registered '
                                                        'Domains Open only - '
                                                        '30 day list, complete',
                                             'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-30.tar.gz',
                                             'vendor': 'Stamus Networks'},
                   'stamus/nrd-entropy-14-open': {   'description': 'Suspicious '
                                                                    'Newly '
                                                                    'Registered '
                                                                    'Domains '
                                                                    'list with '
                                                                    'high '
                                                                    'entropy '
                                                                    '(last 14 '
                                                                    'days) to '
                                                                    'match on '
                                                                    'DNS, TLS '
                                                                    'and HTTP '
                                                                    'communication.\n'
                                                                    'Produced '
                                                                    'by Stamus '
                                                                    'Labs '
                                                                    'research '
                                                                    'team.\n',
                                                     'license': 'Commercial',
                                                     'min-version': '6.0.0',
                                                     'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                                    'Networks '
                                                                                                    'License '
                                                                                                    'code'}},
                                                     'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                                     'summary': 'Newly '
                                                                'Registered '
                                                                'Domains Open '
                                                                'only - 14 day '
                                                                'list, high '
                                                                'entropy',
                                                     'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-14.tar.gz',
                                                     'vendor': 'Stamus '
                                                               'Networks'},
                   'stamus/nrd-entropy-30-open': {   'description': 'Suspicious '
                                                                    'Newly '
                                                                    'Registered '
                                                                    'Domains '
                                                                    'list with '
                                                                    'high '
                                                                    'entropy '
                                                                    '(last 30 '
                                                                    'days) to '
                                                                    'match on '
                                                                    'DNS, TLS '
                                                                    'and HTTP '
                                                                    'communication.\n'
                                                                    'Produced '
                                                                    'by Stamus '
                                                                    'Labs '
                                                                    'research '
                                                                    'team.\n',
                                                     'license': 'Commercial',
                                                     'min-version': '6.0.0',
                                                     'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                                    'Networks '
                                                                                                    'License '
                                                                                                    'code'}},
                                                     'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                                     'summary': 'Newly '
                                                                'Registered '
                                                                'Domains Open '
                                                                'only - 30 day '
                                                                'list, high '
                                                                'entropy',
                                                     'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-30.tar.gz',
                                                     'vendor': 'Stamus '
                                                               'Networks'},
                   'stamus/nrd-phishing-14-open': {   'description': 'Suspicious '
                                                                     'Newly '
                                                                     'Registered '
                                                                     'Domains '
                                                                     'Phishing '
                                                                     'list '
                                                                     '(last 14 '
                                                                     'days) to '
                                                                     'match on '
                                                                     'DNS, TLS '
                                                                     'and HTTP '
                                                                     'communication.\n'
                                                                     'Produced '
                                                                     'by '
                                                                     'Stamus '
                                                                     'Labs '
                                                                     'research '
                                                                     'team.\n',
                                                      'license': 'Commercial',
                                                      'min-version': '6.0.0',
                                                      'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                                     'Networks '
                                                                                                     'License '
                                                                                                     'code'}},
                                                      'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                                      'summary': 'Newly '
                                                                 'Registered '
                                                                 'Domains Open '
                                                                 'only - 14 '
                                                                 'day list, '
                                                                 'phishing',
                                                      'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-14.tar.gz',
                                                      'vendor': 'Stamus '
                                                                'Networks'},
                   'stamus/nrd-phishing-30-open': {   'description': 'Suspicious '
                                                                     'Newly '
                                                                     'Registered '
                                                                     'Domains '
                                                                     'Phishing '
                                                                     'list '
                                                                     '(last 30 '
                                                                     'days) to '
                                                                     'match on '
                                                                     'DNS, TLS '
                                                                     'and HTTP '
                                                                     'communication.\n'
                                                                     'Produced '
                                                                     'by '
                                                                     'Stamus '
                                                                     'Labs '
                                                                     'research '
                                                                     'team.\n',
                                                      'license': 'Commercial',
                                                      'min-version': '6.0.0',
                                                      'parameters': {   'secret-code': {   'prompt': 'Stamus '
                                                                                                     'Networks '
                                                                                                     'License '
                                                                                                     'code'}},
                                                      'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed',
                                                      'summary': 'Newly '
                                                                 'Registered '
                                                                 'Domains Open '
                                                                 'only - 30 '
                                                                 'day list, '
                                                                 'phishing',
                                                      'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-30.tar.gz',
                                                      'vendor': 'Stamus '
                                                                'Networks'},
                   'tgreen/hunting': {   'checksum': False,
                                         'description': 'Heuristic ruleset for '
                                                        'hunting. Focus on '
                                                        'anomaly detection and '
                                                        'showcasing latest '
                                                        'engine features, not '
                                                        'performance.\n',
                                         'license': 'GPLv3',
                                         'min-version': '4.1.0',
                                         'summary': 'Threat hunting rules',
                                         'url': 'https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules',
                                         'vendor': 'tgreen'}},
    'version': 1}