Home/Detection rules/Suricata / ET-open
Tool
Network IDS

Suricata / ET-open

6,432 rules · network intrusion-detection signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity
Using these IDS signatures
Deploy. Load them into a Suricata or Snort sensor and reload the ruleset; the sensor inspects traffic inline or from a tap or SPAN port and alerts (or drops) the moment a packet matches.
Adapt. Set the action per rule (alert vs drop), make sure the sensor actually sees the traffic in question - TLS payloads need decryption first - and silence noisy signatures that do not fit your network.
Scope. These catch malicious patterns on the wire: C2 beacons, exploit attempts, known-bad hosts. Pair them with endpoint and log detection, since encrypted or host-local activity never crosses the sensor.

Rules

50 shown of 6,432
et-open bad-unknown
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
sid 2003492 format suricata
et-open bad-unknown
ET INFO WinUpack Modified PE Header Inbound
sid 2003614 format suricata
et-open bad-unknown
ET INFO WinUpack Modified PE Header Outbound
sid 2003615 format suricata
et-open bad-unknown
ET HUNTING Double User-Agent (User-Agent User-Agent)
sid 2003626 format suricata
et-open bad-unknown
ET USER_AGENTS Suspicious User-Agent (HTTP_CONNECT_)
sid 2007821 format suricata
et-open bad-unknown
ET USER_AGENTS User-Agent (Internet Explorer)
sid 2008052 format suricata
et-open bad-unknown
ET POLICY HSRP Active Router Changed
sid 2009243 format suricata
et-open bad-unknown
ET ATTACK_RESPONSE Cisco TclShell TFTP Download
sid 2009245 format suricata
et-open bad-unknown
ET POLICY Proxy TRACE Request - inbound
sid 2010766 format suricata
et-open bad-unknown
ET SCAN Open-Proxy ScannerBot (webcollage-UA)
sid 2010768 format suricata
et-open bad-unknown
ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile
sid 2010868 format suricata
et-open bad-unknown
ET SCAN Suspicious inbound to MSSQL port 1433
sid 2010935 format suricata
et-open bad-unknown
ET SCAN Suspicious inbound to Oracle SQL port 1521
sid 2010936 format suricata
et-open bad-unknown
ET SCAN Suspicious inbound to mySQL port 3306
sid 2010937 format suricata
et-open bad-unknown
ET SCAN Suspicious inbound to PostgreSQL port 5432
sid 2010939 format suricata
et-open bad-unknown
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
sid 2011227 format suricata
et-open bad-unknown
ET WEB_CLIENT PDF Containing Windows Commands Downloaded
sid 2011245 format suricata
et-open bad-unknown
ET WEB_CLIENT Likely Malicious PDF Containing StrReverse
sid 2011246 format suricata
et-open bad-unknown
ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation
sid 2011329 format suricata T1190 ↗
et-open bad-unknown
ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System
sid 2011343 format suricata
et-open bad-unknown
ET POLICY HTTP Request to a *.co.cc domain
sid 2011374 format suricata
et-open bad-unknown
ET POLICY HTTP Request to a *.cz.cc domain
sid 2011375 format suricata
et-open bad-unknown
ET INFO DNS Query for Suspicious .co.cc Domain
sid 2011409 format suricata
et-open bad-unknown
ET INFO DNS Query for Suspicious .cz.cc Domain
sid 2011410 format suricata
et-open bad-unknown
ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt
sid 2011472 format suricata
et-open bad-unknown
ET HUNTING Suspicious Percentage Symbol Usage in FTP Username
sid 2011487 format suricata
et-open bad-unknown
ET HUNTING Suspicious Quotation Mark Usage in FTP Username
sid 2011488 format suricata
et-open bad-unknown
ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt
sid 2011499 format suricata T1190 ↗
et-open bad-unknown
ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt
sid 2011505 format suricata T1190 ↗
et-open bad-unknown
ET POLICY PDF With Embedded File
sid 2011507 format suricata
et-open bad-unknown
ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype
sid 2011528 format suricata
et-open bad-unknown
ET WEB_CLIENT PDF Name Representation Obfuscation of Action
sid 2011529 format suricata
et-open bad-unknown
ET WEB_CLIENT PDF Name Representation Obfuscation of Pages
sid 2011536 format suricata
et-open bad-unknown
ET POLICY Vulnerable Java Version 1.5.x Detected
sid 2011581 format suricata
et-open bad-unknown
ET POLICY Vulnerable Java Version 1.6.x Detected
sid 2011582 format suricata
et-open bad-unknown
ET POLICY Vulnerable Java Version 1.4.x Detected
sid 2011584 format suricata
et-open bad-unknown
ET HUNTING Abnormal User-Agent No space after colon - Likely Hostile
sid 2011800 format suricata
et-open bad-unknown
ET DNS DNS Lookup for localhost.DOMAIN.TLD
sid 2011802 format suricata
et-open bad-unknown
ET HUNTING Zero Content-Length HTTP POST with data (outbound)
sid 2011819 format suricata
et-open bad-unknown
ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode
sid 2011865 format suricata
et-open bad-unknown
ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code
sid 2011868 format suricata
et-open bad-unknown
ET MALWARE Suspicious flash_player.exe Download
sid 2011982 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
sid 2012041 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding
sid 2012042 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
sid 2012043 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding
sid 2012044 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
sid 2012059 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding
sid 2012060 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding
sid 2012061 format suricata
et-open bad-unknown
ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding
sid 2012062 format suricata
Showing 1-50 of 6,432
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh