Hello, I’m looking for a state sponsered spyware that is using some kind of advanced covert channel. Maybe it use some anomailies on tcp/ip to exfiltrate data. I need some further IOC source to check the syntax of all the tcp packets that go outside my network. So my question is: is there other alternative source to add to suricata ?
I already added something, like for example URLhaus but I need more because I need something else which highlights other inconsistencies in the stream.
Is there a total list of all the suricata rules out there ?
Thanks.
Have you checked the intel index? suricata-update list-sources gives the list of rulesets.
Other rules lists are:
Thanks so much for your suggestion that is really useful.
But I found a problem. I found the sagan-ruleset but it’s quiet difficult to add this source because the github repo contains hundreds of rules files. The following is the repo:
do you have suggestion on how to add it ?
I found the file rules.yaml but seems more a snort file than a suricata conf.
The only way to get the rules seems to clone the repo, make a tar.gz and feed suricata. But do you have a better idea ?
As the name already suggests, the Sagan ruleset is not for Suricata, but for Sagan (GitHub - quadrantsec/sagan: Sagan is a multi-threads, high performance log analysis engine. At it's core, Sagan similar to Suricata/Snort but with logs rather than network packets.) which is a different tool with a different purpose.
While the rule format might be similar to Suricata’s, the keywords are different. Its rules will not work with Suricata.
Thanks, I’ll remove it.