<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>The ETPRO rules should be considered a 'meta' ruleset, as they
combine feeds from multiple sources, community rules and 'premium'
rules from Proofpoint. A good datapoint to consider is that we
(UCSD) are a 'messy' network and running the full 49k+ feed
against all hosts results in about 8-9k rules triggering per
30-day window, which shows how mature their threat intel. process
it. When we miss something its usually a 'zero day' malware
variant (no hits on VirusTotal), which is a hard problem.<br>
</p>
<p>What I've been looking at recently is integrating suricata's file
extraction capabilities with yara and it's rules:</p>
<p><a href="https://github.com/Yara-Rules/rules">https://github.com/Yara-Rules/rules</a></p>
<p>-Coop<br>
</p>
<div class="moz-cite-prefix">On 1/27/2020 9:34 AM, David Decker
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE44EXFAO5vg62DXCqipFJhw5n1tnQeyo7Jd-AkG7_S2i+dKsg@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">What are the general rules most folks use for
Suricata?
<div><br>
</div>
<div>I know ET rules are popular, but do folks use the Snort
Subscriber/Community ect? </div>
<div><br>
</div>
<div>Also any other ones (besides customs) that might be good to
look at?</div>
<div><br>
</div>
<div>Thanks</div>
<div>X</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="https://urldefense.com/v3/__http://suricata-ids.org__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyefdbLCj0$">https://urldefense.com/v3/__http://suricata-ids.org__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyefdbLCj0$</a> | Support: <a class="moz-txt-link-freetext" href="https://urldefense.com/v3/__http://suricata-ids.org/support/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeC6o7GSw$">https://urldefense.com/v3/__http://suricata-ids.org/support/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeC6o7GSw$</a>
List: <a class="moz-txt-link-freetext" href="https://urldefense.com/v3/__https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyewx3TQco$">https://urldefense.com/v3/__https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyewx3TQco$</a>
Conference: <a class="moz-txt-link-freetext" href="https://urldefense.com/v3/__https://suricon.net__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeyBEUfo8$">https://urldefense.com/v3/__https://suricon.net__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeyBEUfo8$</a>
Trainings: <a class="moz-txt-link-freetext" href="https://urldefense.com/v3/__https://suricata-ids.org/training/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qye5uV1ym0$">https://urldefense.com/v3/__https://suricata-ids.org/training/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qye5uV1ym0$</a> </pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042</pre>
</body>
</html>