Hello! Please tell me what SID-Descriptions-ETOpen.json.gz, Proofpoint Emerging Threats Rules is used for?
It contains metadata for the rules in the ET OPEN rule set. E.g. the following entry:
"2039475": {
"affected_products": "Windows_XP/Vista/7/8/10/Server_32/64_Bit",
"attack_target": "Client_Endpoint",
"tls_state": null,
"category": "INFO",
"classtype": "misc-activity",
"creation_date": "2022-10-19",
"cve_reference": "",
"deprecation_reason": null,
"description": "",
"last_modified_date": "2022-10-19",
"malware_family": null,
"mitre_tags": [],
"name": "URL Shortener Service Domain in DNS Lookup (snip .ly)",
"performance_impact": null,
"rev": "1",
"ruleset": "ET",
"severity": "Informational",
"sid": "2039475",
"signature_deployment": "Perimeter",
"tag": null,
"type": "SID",
"url_reference": ""
},
lists information about the rule with the SID 2039475, which is this one in the main rules file:
alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (snip .ly)"; dns.query; content:"snip.ly"; nocase; bsize:7; classtype:misc-activity; sid:2039475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_10_19, deployment Perimeter, signature_severity Informational, updated_at 2022_10_19;)
As you can see, there is not too much additional information to what is already in the rule, but it is provided in a more accessible JSON format. That could be used to fill some kind of rule database.
1 Like
the SID-Descriptions-ETOpen.json.gz file is added to the general rules /etc/suricata/rules and is specified in the settings
/etc/suricata/suricata.yaml?
default-rule-path: /var/lib/suricata/rules
rule-files:
It is just informational for someone who wants to annotate alerts by SID. Suricata does not load it, or need it.
You only need to care about the *.rules files.