Home/Network IDS rules
IDS / IPS

Network IDS rules

714 rules · Snort / Suricata signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Ruleset All et-opensnort-community
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity

Rules

50 shown of 714
et-open attempted-recon
ET SCAN Potential SSH Scan
sid 2001219 format suricata
et-open attempted-recon
ET SCAN Nessus User Agent
sid 2002664 format suricata
et-open attempted-recon
ET POLICY Possible Web Crawl using Wget
sid 2002823 format suricata
et-open attempted-recon
ET POLICY POSSIBLE Web Crawl using Curl
sid 2002825 format suricata
et-open attempted-recon
ET POLICY POSSIBLE Crawl using Fetch
sid 2002827 format suricata
et-open attempted-recon
ET SCAN Potential VNC Scan 5800-5820
sid 2002910 format suricata
et-open attempted-recon
ET POLICY Possible Web Crawl - libwww-perl User Agent
sid 2002935 format suricata
et-open attempted-recon
ET POLICY python.urllib User Agent Web Crawl
sid 2002943 format suricata
et-open attempted-recon
ET SCAN Potential SSH Scan OUTBOUND
sid 2003068 format suricata
et-open attempted-recon
ET SCAN IBM NSA User Agent
sid 2003171 format suricata
et-open attempted-recon
ET SCAN w3af User Agent
sid 2007757 format suricata
et-open attempted-recon
ET SCAN Internal to Internal UPnP Request tcp port 2555
sid 2008092 format suricata
et-open attempted-recon
ET SCAN External to Internal UPnP Request tcp port 2555
sid 2008093 format suricata
et-open attempted-recon
ET SCAN External to Internal UPnP Request udp port 1900
sid 2008094 format suricata
et-open attempted-recon
ET SCAN Paros Proxy Scanner Detected
sid 2008187 format suricata
et-open attempted-recon
ET SCAN Watchfire AppScan Web App Vulnerability Scanner
sid 2008311 format suricata
et-open attempted-recon
ET SCAN DEBUG Method Request with Command
sid 2008312 format suricata
et-open attempted-recon
ET SCAN Cisco Torch TFTP Scan
sid 2008414 format suricata
et-open attempted-recon
ET SCAN Cisco Torch IOS HTTP Scan
sid 2008415 format suricata
et-open attempted-recon
ET SCAN Httprint Web Server Fingerprint Scan
sid 2008416 format suricata
et-open attempted-recon
ET SCAN Wapiti Web Server Vulnerability Scan
sid 2008417 format suricata
et-open attempted-recon
ET SCAN Smap VOIP Device Scan
sid 2008526 format suricata
et-open attempted-recon
ET SCAN Hmap Webserver Fingerprint Scan
sid 2008537 format suricata
et-open attempted-recon
ET SCAN Sqlmap SQL Injection Scan
sid 2008538 format suricata T1190 ↗
et-open attempted-recon
ET SCAN Voiper Toolkit Torturer Scan
sid 2008568 format suricata
et-open attempted-recon
ET SCAN Acunetix Version 6 Crawl/Scan Detected
sid 2008571 format suricata
et-open attempted-recon
ET SCAN Voiper Fuzzing Scan
sid 2008577 format suricata
et-open attempted-recon
ET SCAN Sipvicious Scan
sid 2008578 format suricata
et-open attempted-recon
ET SCAN Sipp SIP Stress Test Detected
sid 2008579 format suricata
et-open attempted-recon
ET SCAN Sipsak SIP scan
sid 2008598 format suricata
et-open attempted-recon
ET SCAN Stompy Web Application Session Scan
sid 2008605 format suricata
et-open attempted-recon
ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan
sid 2008606 format suricata
et-open attempted-recon
ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan
sid 2008609 format suricata
et-open attempted-recon
ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan
sid 2008610 format suricata
et-open attempted-recon
ET SCAN Wikto Scan
sid 2008617 format suricata
et-open attempted-recon
ET SCAN Httprecon Web Server Fingerprint Scan
sid 2008627 format suricata
et-open attempted-recon
ET SCAN WSFuzzer Web Application Fuzzing
sid 2008628 format suricata
et-open attempted-recon
ET SCAN Wikto Backend Data Miner Scan
sid 2008629 format suricata
et-open attempted-recon
ET SCAN SIP erase_registrations/add registrations attempt
sid 2008640 format suricata
et-open attempted-recon
ET SCAN sipscan probe
sid 2008641 format suricata
et-open attempted-recon
ET SCAN SQLix SQL Injection Vector Scan
sid 2008654 format suricata T1190 ↗
et-open attempted-recon
ET SCAN Mini MySqlatOr SQL Injection Scanner
sid 2008729 format suricata T1190 ↗
et-open attempted-recon
ET POLICY IP Check whatismyip.com Automation Page
sid 2008985 format suricata
et-open attempted-recon
ET POLICY IP Check Domain (whatismyip in HTTP Host)
sid 2008986 format suricata
et-open attempted-recon
ET POLICY IP Check Domain (showip in HTTP Host)
sid 2008987 format suricata
et-open attempted-recon
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
sid 2008988 format suricata
et-open attempted-recon
ET POLICY IP Check Domain (showmyip in HTTP Host)
sid 2008989 format suricata
et-open attempted-recon
ET POLICY IP Check Domain (whatismyip in HTTP Host)
sid 2009020 format suricata
et-open attempted-recon
ET SCAN SQLNinja MSSQL Version Scan
sid 2009038 format suricata
et-open attempted-recon
ET SCAN SQLNinja MSSQL XPCmdShell Scan
sid 2009039 format suricata
Showing 1-50 of 714
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh