-# Ruleset for registered sourcefire users.
-registered = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode>
+package IDS::Ruleset;
-# Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode>
+# This file contains the supported ruleset providers.
+#
+# Each one is defined as a hash in the main hash.
+# It's name acts as handle/key and the key/value pair acts as data part.
+# So the structure is like the following:
+#
+# handle => {
+# summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
+# website => The website of the ruleset provider.
+# tr_string => The translation string which is used by the WUI and part of the language files.
+# requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
+# dl_url => The download URL to grab the ruleset.
+# dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
+# },
-# Community rules from sourcefire.
-community = https://www.snort.org/rules/community
+# Hash which contains the supported ruleset providers.
+our %Providers = (
+ # Ruleset for registered sourcefire users.
+ registered => {
+ summary => "Talos VRT rules for registered users",
+ website => "https://www.snort.org",
+ tr_string => "registered user rules",
+ requires_subscription => "True",
+ dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
+ dl_type => "archive",
+ },
-# Emerging threads community rules.
-emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
+ # Ruleset for registered sourcefire users with a valid subsription.
+ subscripted => {
+ summary => "Talos VRT rules with subscription",
+ website => "https://www.snort.org",
+ tr_string => "subscripted user rules",
+ requires_subscription => "True",
+ dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>",
+ dl_type => "archive",
+ },
-# Emerging threads pro rules.
-emerging_pro = https://rules.emergingthreatspro.com/<oinkcode>/suricata-4.0/etpro.rules.tar.gz
+ # Community rules from sourcefire.
+ community => {
+ summary => "Snort/VRT GPLv2 Community Rules",
+ website => "https://www.snort.org",
+ tr_string => "community rules",
+ requires_subscription => "False",
+ dl_url => "https://www.snort.org/downloads/community/community-rules.tar.gz",
+ dl_type => "archive",
+ },
+ # Emerging threads community rules.
+ emerging => {
+ summary => "Emergingthreats.net Community Rules",
+ website => "https://emergingthreats.net/",
+ tr_string => "emerging rules",
+ requires_subscription => "False",
+ dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
+ dl_type => "archive",
+ },
+
+ # Emerging threads Pro rules.
+ emerging_pro => {
+ summary => "Emergingthreats.net Pro Rules",
+ website => "https://emergingthreats.net/",
+ tr_string => "emerging pro rules",
+ requires_subscription => "True",
+ dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
+ dl_type => "archive",
+ },
+
+ # Abuse.ch SSLBL Blacklist rules.
+ sslbl_blacklist => {
+ summary => "Abuse.ch SSLBL Blacklist Rules",
+ website => "https://sslbl.abuse.ch/",
+ tr_string => "sslbl blacklist rules",
+ requires_subscription => "False",
+ dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
+ dl_type => "plain",
+ },
+
+ # Etnetera Aggressive Blacklist.
+ etnetera_aggressive => {
+ summary => "Etnetera Aggressive Blacklist Rules",
+ website => "https://security.etnetera.cz/",
+ tr_string => "etnetera aggressive blacklist rules",
+ requires_subscription => "False",
+ dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
+ dl_type => "plain",
+ },
+
+ # OISF Traffic ID rules.
+ oisf_trafficid => {
+ summary => "OISF Traffic ID Rules",
+ website => "https://www.openinfosecfoundation.org/",
+ tr_string => "oisf traffic id rules",
+ requires_subscription => "False",
+ dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
+ dl_type => "plain",
+ },
+
+ # Positive Technologies Attack Detection Team rules.
+ attack_detection => {
+ summary => "PT Attack Detection Team Rules",
+ website => "https://github.com/ptresearch/AttackDetection",
+ tr_string => "attack detection team rules",
+ },
+
+ # Secureworks Security rules.
+ secureworks_security => {
+ summary => "Secureworks Security Ruleset",
+ website => "https://www.secureworks.com",
+ tr_string => "secureworks security ruleset",
+ },
+
+ # Secureworks Malware rules.
+ secureworks_malware => {
+ summary => "Secureworks Malware Ruleset",
+ website => "https://www.secureworks.com",
+ tr_string => "secureworks malware ruleset",
+ },
+
+ # Secureworks Enhanced rules.
+ secureworks_enhanced => {
+ summary => "Secureworks Enhanced Ruleset",
+ website => "https://www.secureworks.com",
+ tr_string => "secureworks enhanced ruleset",
+ },
+
+ # ThreatFox
+ threatfox => {
+ summary => "ThreatFox Indicators Of Compromise Rules",
+ website => "https://threatfox.abuse.ch/",
+ tr_string => "threatfox rules",
+ requires_subscription => "False",
+ dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules",
+ dl_type => "plain",
+ },
+
+ # Travis B. Green hunting rules.
+ tgreen => {
+ summary => "Travis Green - Hunting rules",
+ website => "https://github.com/travisbgreen/hunting-rules",
+ tr_string => "travis green hunting rules",
+ requires_subscription => "False",
+ dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
+ dl_type => "plain",
+ },
+);