Home/Detection rules/Suricata / ET-open
Tool
Network IDS

Suricata / ET-open

4,606 rules · network intrusion-detection signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity

Rules

50 shown of 4,606
et-open misc-activity
ET POLICY Outbound Multiple Non-SMTP Server Emails
sid 2000328 format suricata
et-open misc-activity
ET INFO IRC Nick change on non-standard port
sid 2000345 format suricata
et-open misc-activity
ET CHAT IRC authorization message
sid 2000355 format suricata
et-open misc-activity
ET SCAN ICMP PING IPTools
sid 2000575 format suricata
et-open misc-activity
ET EXPLOIT NTDump Session Established Reg-Entry port 139
sid 2001052 format suricata
et-open misc-activity
ET EXPLOIT NTDump.exe Service Started port 139
sid 2001053 format suricata
et-open misc-activity
ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT
sid 2001195 format suricata
et-open misc-activity
ET INFO RDP - Response To External Host
sid 2001330 format suricata
et-open misc-activity
ET EXPLOIT NTDump Session Established Reg-Entry port 445
sid 2001543 format suricata
et-open misc-activity
ET EXPLOIT NTDump.exe Service Started port 445
sid 2001544 format suricata
et-open misc-activity
ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection
sid 2001580 format suricata
et-open misc-activity
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
sid 2001581 format suricata
et-open misc-activity
ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection
sid 2001582 format suricata
et-open misc-activity
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
sid 2001583 format suricata
et-open misc-activity
ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile
sid 2001811 format suricata
et-open misc-activity
ET CHAT IRC USER command
sid 2002023 format suricata
et-open misc-activity
ET CHAT IRC NICK command
sid 2002024 format suricata
et-open misc-activity
ET CHAT IRC JOIN command
sid 2002025 format suricata
et-open misc-activity
ET CHAT IRC PRIVMSG command
sid 2002026 format suricata
et-open misc-activity
ET CHAT IRC PING command
sid 2002027 format suricata
et-open misc-activity
ET CHAT IRC PONG response
sid 2002028 format suricata
et-open misc-activity
ET USER_AGENTS SideStep User-Agent
sid 2002078 format suricata
et-open misc-activity
ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
sid 2002087 format suricata
et-open misc-activity
ET POLICY Wise Solutions Install Reporting via HTTP - User Agent (Wise)
sid 2002167 format suricata
et-open misc-activity
ET INFO Java Url Lib User Agent Web Crawl (Inbound)
sid 2002945 format suricata
et-open misc-activity
ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
sid 2002992 format suricata
et-open misc-activity
ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
sid 2002993 format suricata
et-open misc-activity
ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
sid 2002994 format suricata
et-open misc-activity
ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
sid 2002995 format suricata
et-open misc-activity
ET POLICY Microsoft TEREDO IPv6 tunneling
sid 2003155 format suricata
et-open misc-activity
ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack
sid 2008560 format suricata
et-open misc-activity
ET POLICY External Unencrypted Connection To Aanval Console
sid 2008561 format suricata
et-open misc-activity
ET POLICY External Unencrypted Connection to Ossec WUI
sid 2008569 format suricata
et-open misc-activity
ET POLICY External Unencrypted Connection to BASE Console
sid 2008570 format suricata
et-open misc-activity
ET POLICY TeamViewer Keep-alive outbound
sid 2008794 format suricata
et-open misc-activity
ET POLICY TeamViewer Keep-alive inbound
sid 2008795 format suricata
et-open misc-activity
ET POLICY trymedia.com User-Agent (Macrovision_DM)
sid 2009446 format suricata
et-open misc-activity
ET POLICY Telnet to HP JetDirect Printer With No Password Set
sid 2009535 format suricata
et-open misc-activity
ET POLICY External FTP Connection TO Local HP JetDirect Printer
sid 2009536 format suricata
et-open misc-activity
ET SCAN ICMP @hello request Likely Precursor to Scan
sid 2010641 format suricata
et-open misc-activity
ET SCAN ICMP Delphi Likely Precursor to Scan
sid 2010681 format suricata
et-open misc-activity
ET POLICY Recuva File Recovery Software - Observed User-Agent
sid 2011090 format suricata
et-open misc-activity
ET WEB_CLIENT PROPFIND Flowbit Set
sid 2011456 format suricata
et-open misc-activity
ET INFO Win32/Sogou User-Agent (SOGOU_UPDATER)
sid 2011719 format suricata
et-open misc-activity
ET INFO DYNAMIC_DNS Query to 3322.org Domain
sid 2012171 format suricata
et-open misc-activity
ET POLICY Microsoft user-agent automated process response to automated request
sid 2012692 format suricata
et-open misc-activity
ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org
sid 2012738 format suricata
et-open misc-activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
sid 2012758 format suricata
et-open misc-activity
ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set
sid 2012906 format suricata
et-open misc-activity
ET WEB_CLIENT Download of PDF With Compressed Flash Content
sid 2012907 format suricata
Showing 1-50 of 4,606
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh