Suricata PT Open Ruleset

The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers’ TTPs, so we develop Suricata rules for detecting all sorts of such activities.

Structure

This repository consisting of folders with self-explanatory names contains Suricata rules, PoC exploits, and traffic samples in zip archives with default password.

🔧 Some rules in this repo are aimed to detect communications under TLS. Please, set encryption-handling: full in suricata.yaml configuration file to activate them.

SID range

We use SID 10000000-10999999 for our rules.

License

This software is provided under a custom License. See the accompanying LICENSE file for more information.

Name		Name	Last commit message	Last commit date
Latest commit History 139 Commits
CVE-2016-0800		CVE-2016-0800
CVE-2016-1285		CVE-2016-1285
CVE-2016-2208		CVE-2016-2208
CVE-2016-2386		CVE-2016-2386
CVE-2016-3078		CVE-2016-3078
CVE-2016-3087		CVE-2016-3087
CVE-2016-4010		CVE-2016-4010
CVE-2016-4971		CVE-2016-4971
CVE-2016-6304		CVE-2016-6304
CVE-2016-6366		CVE-2016-6366
CVE-2016-6367		CVE-2016-6367
CVE-2016-6662		CVE-2016-6662
CVE-2016-7237		CVE-2016-7237
CVE-2016-7636		CVE-2016-7636
CVE-2016-9147		CVE-2016-9147
CVE-2016-9565		CVE-2016-9565
CVE-2017-13089		CVE-2017-13089
CVE-2017-14492		CVE-2017-14492
CVE-2017-14493		CVE-2017-14493
CVE-2017-14494		CVE-2017-14494
CVE-2017-16943		CVE-2017-16943
CVE-2017-2491		CVE-2017-2491
CVE-2017-3143		CVE-2017-3143
CVE-2017-5638		CVE-2017-5638
CVE-2017-7269		CVE-2017-7269
CVE-2017-7494		CVE-2017-7494
CVE-2017-8045		CVE-2017-8045
CVE-2017-9798		CVE-2017-9798
CVE-2018-0171		CVE-2018-0171
CVE-2018-0886		CVE-2018-0886
CVE-2018-1000006		CVE-2018-1000006
CVE-2018-1000207		CVE-2018-1000207
CVE-2018-1111		CVE-2018-1111
CVE-2018-1306		CVE-2018-1306
CVE-2018-14847		CVE-2018-14847
CVE-2018-15379		CVE-2018-15379
CVE-2018-15442		CVE-2018-15442
CVE-2018-15454		CVE-2018-15454
CVE-2018-17245		CVE-2018-17245
CVE-2018-5955		CVE-2018-5955
CVE-2018-6789		CVE-2018-6789
CVE-2018-7445		CVE-2018-7445
CVE-2018-7600		CVE-2018-7600
CVE-2018-7602		CVE-2018-7602
CVE-2018-8495		CVE-2018-8495
CVE-2018-8581		CVE-2018-8581
CVE-2019-0227		CVE-2019-0227
CVE-2019-0232		CVE-2019-0232
CVE-2019-0708		CVE-2019-0708
CVE-2019-1003001		CVE-2019-1003001
CVE-2019-2618		CVE-2019-2618
CVE-2019-2725		CVE-2019-2725
CVE-2019-3396		CVE-2019-3396
CVE-2019-3924		CVE-2019-3924
CVE-2019-6340		CVE-2019-6340
DNS Rebinding		DNS Rebinding
Dridex		Dridex
FreePBX_13_14_rce		FreePBX_13_14_rce
GraphicsMagick_shell_vulnerability		GraphicsMagick_shell_vulnerability
MS17-010		MS17-010
Microtik Router OS Stack Clash		Microtik Router OS Stack Clash
Neutrino		Neutrino
Omnivista_8770_RCE		Omnivista_8770_RCE
PowerShell Empire		PowerShell Empire
SilentTrinity		SilentTrinity
Squid 3.5 http cache poisoning		Squid 3.5 http cache poisoning
Suricon2018		Suricon2018
ThePrinterBug		ThePrinterBug
aes.ddos.dofloo		aes.ddos.dofloo
apache_continuum_cmd_injection		apache_continuum_cmd_injection
badtunnel		badtunnel
carbanak_pegasus		carbanak_pegasus
dcshadow		dcshadow
eternalblue(WannaCry,Petya)		eternalblue(WannaCry,Petya)
httpoxy		httpoxy
ios 10.1.x remote memory corruption		ios 10.1.x remote memory corruption
nfcapd		nfcapd
phpggc		phpggc
policy		policy
raisecom_gpon_rce		raisecom_gpon_rce
redis_replication_rce		redis_replication_rce
scm_tools_rce		scm_tools_rce
vBulletin_5.x_rce		vBulletin_5.x_rce
wannamine		wannamine
wordpress LearnDash plugin arbitrary file upload		wordpress LearnDash plugin arbitrary file upload
LICENSE		LICENSE
README.md		README.md
pt.rules.tar.gz		pt.rules.tar.gz
pt.rules.tar.gz.md5		pt.rules.tar.gz.md5

License

joesecurity/AttackDetection

Folders and files

Latest commit

History