Home/Network IDS rules
IDS / IPS

Network IDS rules

6,731 rules · Snort / Suricata signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Ruleset All et-opensnort-community
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity

Rules

50 shown of 6,731
et-open domain-c2
ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)
sid 2015560 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Likely Malicious SSL Cert With Script Tags
sid 2018768 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected
sid 2021938 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)
sid 2022100 format suricata T1587 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)
sid 2022101 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)
sid 2022102 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)
sid 2022209 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)
sid 2022211 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)
sid 2022229 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)
sid 2022234 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
sid 2022279 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)
sid 2022323 format suricata T1587 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
sid 2022627 format suricata T1071 ↗
et-open domain-c2
ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)
sid 2022919 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (OSX/Calender 2 Mining)
sid 2025424 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Bancos Variant CnC)
sid 2025433 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (CoreBot C2)
sid 2025485 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Coin-Hive In Browser Mining)
sid 2025536 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Coinhive URL Shortener)
sid 2025582 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (OilRig QUADAGENT CnC)
sid 2025892 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MICROPSIA CnC Domain)
sid 2025918 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Panda Banker C2)
sid 2025995 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Panda Banker Injects)
sid 2025996 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)
sid 2026110 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Exfil)
sid 2026112 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)
sid 2026215 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)
sid 2026467 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)
sid 2026468 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 CnC)
sid 2026589 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 Staging Domain)
sid 2026590 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)
sid 2026591 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)
sid 2026592 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026593 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026594 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026595 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026596 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026597 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026598 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026599 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026600 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026601 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)
sid 2026602 format suricata T1587 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (MageCart Group 5 Staging Domain)
sid 2026603 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)
sid 2026615 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
sid 2026616 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (APT29)
sid 2026618 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
sid 2026666 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
sid 2026667 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
sid 2026668 format suricata T1071 ↗
et-open domain-c2
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
sid 2026669 format suricata T1071 ↗
Showing 1-50 of 6,731
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh