Home/Detection rules/Suricata / ET-open
Tool
Network IDS

Suricata / ET-open

48,683 rules · network intrusion-detection signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity
Using these IDS signatures
Deploy. Load them into a Suricata or Snort sensor and reload the ruleset; the sensor inspects traffic inline or from a tap or SPAN port and alerts (or drops) the moment a packet matches.
Adapt. Set the action per rule (alert vs drop), make sure the sensor actually sees the traffic in question - TLS payloads need decryption first - and silence noisy signatures that do not fit your network.
Scope. These catch malicious patterns on the wire: C2 beacons, exploit attempts, known-bad hosts. Pair them with endpoint and log detection, since encrypted or host-local activity never crosses the sensor.

Rules

50 shown of 48,683
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT
sid 2004913 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE
sid 2004914 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII
sid 2004915 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE
sid 2004916 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT
sid 2004917 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT
sid 2004918 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT
sid 2004919 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE
sid 2004920 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII
sid 2004921 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE
sid 2004923 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT
sid 2004924 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT
sid 2004925 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT
sid 2004926 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE
sid 2004927 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII
sid 2004928 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE
sid 2004929 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT
sid 2004930 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT
sid 2004931 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT
sid 2004932 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE
sid 2004933 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII
sid 2004934 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE
sid 2004935 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT
sid 2004936 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT
sid 2004937 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT
sid 2004938 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE
sid 2004939 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII
sid 2004940 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE
sid 2004941 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT
sid 2004942 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT
sid 2004943 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT
sid 2004945 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE
sid 2004946 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII
sid 2004947 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE
sid 2004948 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT
sid 2004949 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT
sid 2004950 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT
sid 2004951 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE
sid 2004952 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII
sid 2004953 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE
sid 2004954 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT
sid 2004955 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT
sid 2004956 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT
sid 2004957 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE
sid 2004958 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII
sid 2004959 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE
sid 2004960 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT
sid 2004962 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT
sid 2004967 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT
sid 2004968 format suricata T1190 ↗
et-open web-application-attack
ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT
sid 2004969 format suricata T1190 ↗
Showing 1101-1150 of 48,683
Prev 23 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh