Home/Detection rules/Suricata / ET-open
Tool
Network IDS

Suricata / ET-open

48,683 rules · network intrusion-detection signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity
Using these IDS signatures
Deploy. Load them into a Suricata or Snort sensor and reload the ruleset; the sensor inspects traffic inline or from a tap or SPAN port and alerts (or drops) the moment a packet matches.
Adapt. Set the action per rule (alert vs drop), make sure the sensor actually sees the traffic in question - TLS payloads need decryption first - and silence noisy signatures that do not fit your network.
Scope. These catch malicious patterns on the wire: C2 beacons, exploit attempts, known-bad hosts. Pair them with endpoint and log detection, since encrypted or host-local activity never crosses the sensor.

Rules

50 shown of 48,683
et-open web-application-attack
ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT
sid 2004737 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT
sid 2004738 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE
sid 2004739 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII
sid 2004740 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE
sid 2004741 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT
sid 2004742 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT
sid 2004743 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT
sid 2004744 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE
sid 2004745 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII
sid 2004746 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE
sid 2004747 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT
sid 2004748 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT
sid 2004749 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT
sid 2004750 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE
sid 2004751 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII
sid 2004752 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE
sid 2004753 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT
sid 2004760 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT
sid 2004761 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT
sid 2004762 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE
sid 2004763 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII
sid 2004764 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE
sid 2004765 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT
sid 2004766 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT
sid 2004767 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT
sid 2004768 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE
sid 2004769 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII
sid 2004770 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE
sid 2004771 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT
sid 2004772 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT
sid 2004773 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT
sid 2004774 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE
sid 2004775 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII
sid 2004776 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE
sid 2004778 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT
sid 2004779 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT
sid 2004780 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT
sid 2004781 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE
sid 2004782 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII
sid 2004783 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE
sid 2004784 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT
sid 2004785 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT
sid 2004786 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT
sid 2004787 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE
sid 2004788 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII
sid 2004789 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE
sid 2004790 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT
sid 2004797 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT
sid 2004798 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT
sid 2004799 format suricata T1190 ↗
Showing 951-1000 of 48,683
Prev 20 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh