Was just wondering if anyone had any further insight into what the IP groups in the etnetera/aggressive rules map to?
I checked around the website and the twitter announcement feed hasn’t been updated since 2018, although the rules are updated regularly. https://twitter.com/etnsec
The updated rules located at https://security.etnetera.cz/feeds/etn_aggressive.rules have groups noted in the rule msg but its isn’t clear what the grouping represents.
Here is a snip-it of what most of the 430 rules look like, note I removed a majority of the IP addresses for readability.
The rules have approximately 20-30 ip addresses and then the Group number is incremented, so Group 0 through Group 430.
alert ip [188.8.131.52,...,184.108.40.206] any -> $HOME_NET any (msg:"**ETN AGGRESSIVE IPs Group 0";** reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000000; rev:1612823401;)
I sent an email off to the info email address on their website about a week ago, but haven’t heard back.