[Oisf-users] Rule Sets used?
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jan 27 20:08:57 UTC 2020
The ETPRO rules should be considered a 'meta' ruleset, as they combine
feeds from multiple sources, community rules and 'premium' rules from
Proofpoint. A good datapoint to consider is that we (UCSD) are a
'messy' network and running the full 49k+ feed against all hosts results
in about 8-9k rules triggering per 30-day window, which shows how mature
their threat intel. process it. When we miss something its usually a
'zero day' malware variant (no hits on VirusTotal), which is a hard problem.
What I've been looking at recently is integrating suricata's file
extraction capabilities with yara and it's rules:
https://github.com/Yara-Rules/rules
-Coop
On 1/27/2020 9:34 AM, David Decker wrote:
> What are the general rules most folks use for Suricata?
>
> I know ET rules are popular, but do folks use the Snort
> Subscriber/Community ect?
>
> Also any other ones (besides customs) that might be good to look at?
>
> Thanks
> X
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: https://urldefense.com/v3/__http://suricata-ids.org__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyefdbLCj0$ | Support: https://urldefense.com/v3/__http://suricata-ids.org/support/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeC6o7GSw$
> List: https://urldefense.com/v3/__https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyewx3TQco$
>
> Conference: https://urldefense.com/v3/__https://suricon.net__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeyBEUfo8$
> Trainings: https://urldefense.com/v3/__https://suricata-ids.org/training/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qye5uV1ym0$
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200127/9bc52b7a/attachment.html>
More information about the Oisf-users
mailing list