From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox Date: Thu, 15 Feb 2024 13:58:35 +0100 Message-ID: <20240215125835.7874-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5261476423903415581==" List-Id: --===============5261476423903415581== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The PT Attack ruleset has not been updated since 2021 and made read-only in= 2022 The PT Attack website no longer has any reference to Suricata Rulesets. Th= e PT Attack ruleset is being removed. - The Secureworks three rulesets are no longer available. The website path gi= ves a 404 error. No mention of Suricata rulesets in the Secureworks website. The Sec= ureworks three rulesets are being removed. - ThreatFox ruleset has been added to the list. Both a plain and archive vers= ion of the rules are available but the plain version is being regularly updated while= the archive version was last updated 5 days ago. So this patch has implemented the pla= in version. - All above was discussed in the January Developers Conference call. - Tested out on my vm testbed. I had PT Attack selected as one of the provide= rs. As mentioned by Stefan removing PT Attack means it is not available in the li= st of providers but the provider stays in the providers table but with the line = shown in red. I will update the wiki to mention the red highlight and what it means. Suggested-by: Stefan Schantl Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/suricata/ruleset-sources | 44 ++++++--------------------------- 1 file changed, 7 insertions(+), 37 deletions(-) diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index 14d1b865f..2b3b4ffcb 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -97,44 +97,14 @@ our %Providers =3D ( dl_type =3D> "plain", }, =20 - # Positive Technologies Attack Detection Team rules. - attack_detection =3D> { - summary =3D> "PT Attack Detection Team Rules", - website =3D> "https://github.com/ptresearch/AttackDetection", - tr_string =3D> "attack detection team rules", + # ThreatFox + threatfox =3D> { + summary =3D> "ThreatFox Indicators Of Compromise Rules", + website =3D> "https://threatfox.abuse.ch/", + tr_string =3D> "threatfox rules", requires_subscription =3D> "False", - dl_url =3D> "https://raw.githubusercontent.com/ptresearch/AttackDetection/= master/pt.rules.tar.gz", - dl_type =3D> "archive", - }, - - # Secureworks Security rules. - secureworks_security =3D> { - summary =3D> "Secureworks Security Ruleset", - website =3D> "https://www.secureworks.com", - tr_string =3D> "secureworks security ruleset", - requires_subscription =3D> "True", - dl_url =3D> "https://ws.secureworks.com/ti/ruleset//Sur= icata_suricata-security_latest.tgz", - dl_type =3D> "archive", - }, - - # Secureworks Malware rules. - secureworks_malware =3D> { - summary =3D> "Secureworks Malware Ruleset", - website =3D> "https://www.secureworks.com", - tr_string =3D> "secureworks malware ruleset", - requires_subscription =3D> "True", - dl_url =3D> "https://ws.secureworks.com/ti/ruleset//Sur= icata_suricata-malware_latest.tgz", - dl_type =3D> "archive", - }, - - # Secureworks Enhanced rules. - secureworks_enhanced =3D> { - summary =3D> "Secureworks Enhanced Ruleset", - website =3D> "https://www.secureworks.com", - tr_string =3D> "secureworks enhanced ruleset", - requires_subscription =3D> "True", - dl_url =3D> "https://ws.secureworks.com/ti/ruleset//Sur= icata_suricata-enhanced_latest.tgz", - dl_type =3D> "archive", + dl_url =3D> "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules= ", + dl_type =3D> "plain", }, =20 # Travis B. Green hunting rules. --=20 2.43.2 --===============5261476423903415581==--