[Oisf-users] Rule Sets used?

Cooper F. Nelson cnelson at ucsd.edu
Mon Jan 27 20:08:57 UTC 2020

The ETPRO rules should be considered a 'meta' ruleset, as they combine 
feeds from multiple sources, community rules and 'premium' rules from 
Proofpoint.  A good datapoint to consider is that we (UCSD) are a 
'messy' network and running the full 49k+ feed against all hosts results 
in about 8-9k rules triggering per 30-day window, which shows how mature 
their threat intel. process it.  When we miss something its usually a 
'zero day' malware variant (no hits on VirusTotal), which is a hard problem.

What I've been looking at recently is integrating suricata's file 
extraction capabilities with yara and it's rules:



On 1/27/2020 9:34 AM, David Decker wrote:
> What are the general rules most folks use for Suricata?
> I know ET rules are popular, but do folks use the Snort 
> Subscriber/Community ect?
> Also any other ones (besides customs) that might be good to look at?
> Thanks
> X
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: https://urldefense.com/v3/__http://suricata-ids.org__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyefdbLCj0$  | Support: https://urldefense.com/v3/__http://suricata-ids.org/support/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeC6o7GSw$
> List: https://urldefense.com/v3/__https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyewx3TQco$
> Conference: https://urldefense.com/v3/__https://suricon.net__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qyeyBEUfo8$
> Trainings: https://urldefense.com/v3/__https://suricata-ids.org/training/__;!!Mih3wA!TwNyQ1YrxCZ8nDX3bsZPuA301Id6qlUC89Da28iC0XlDUBAxbBzO4qye5uV1ym0$

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200127/9bc52b7a/attachment.html>

More information about the Oisf-users mailing list