[PATCH] ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox

[PATCH] ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3564 bytes --]

- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
   The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
   ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
   error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
   rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
   rules are available but the plain version is being regularly updated while the archive
   version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
   mentioned by Stefan removing PT Attack means it is not available in the list of
   providers but the provider stays in the providers table but with the line shown in red.
   I will update the wiki to mention the red highlight and what it means.

Suggested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/suricata/ruleset-sources | 44 ++++++---------------------------
 1 file changed, 7 insertions(+), 37 deletions(-)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 14d1b865f..2b3b4ffcb 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -97,44 +97,14 @@ our %Providers = (
 		dl_type => "plain",
 	},
 
-	# Positive Technologies Attack Detection Team rules.
-	attack_detection => {
-		summary => "PT Attack Detection Team Rules",
-		website => "https://github.com/ptresearch/AttackDetection",
-		tr_string => "attack detection team rules",
+	# ThreatFox
+	threatfox => {
+		summary => "ThreatFox Indicators Of Compromise Rules",
+		website => "https://threatfox.abuse.ch/",
+		tr_string => "threatfox rules",
 		requires_subscription => "False",
-		dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Security rules.
-	secureworks_security => {
-		summary => "Secureworks Security Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks security ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Malware rules.
-	secureworks_malware => {
-		summary => "Secureworks Malware Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks malware ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
-		dl_type => "archive",
-	},
-
-	# Secureworks Enhanced rules.
-	secureworks_enhanced => {
-		summary => "Secureworks Enhanced Ruleset",
-		website => "https://www.secureworks.com",
-		tr_string => "secureworks enhanced ruleset",
-		requires_subscription => "True",
-		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
-		dl_type => "archive",
+		dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules",
+		dl_type => "plain",
 	},
 
 	# Travis B. Green hunting rules.
-- 
2.43.2