Suricata SID-Descriptions-ETOpen.json

Hello! Please tell me what SID-Descriptions-ETOpen.json.gz, Proofpoint Emerging Threats Rules is used for?

It contains metadata for the rules in the ET OPEN rule set. E.g. the following entry:

  "2039475": {
    "affected_products": "Windows_XP/Vista/7/8/10/Server_32/64_Bit",
    "attack_target": "Client_Endpoint",
    "tls_state": null,
    "category": "INFO",
    "classtype": "misc-activity",
    "creation_date": "2022-10-19",
    "cve_reference": "",
    "deprecation_reason": null,
    "description": "",
    "last_modified_date": "2022-10-19",
    "malware_family": null,
    "mitre_tags": [],
    "name": "URL Shortener Service Domain in DNS Lookup (snip .ly)",
    "performance_impact": null,
    "rev": "1",
    "ruleset": "ET",
    "severity": "Informational",
    "sid": "2039475",
    "signature_deployment": "Perimeter",
    "tag": null,
    "type": "SID",
    "url_reference": ""

lists information about the rule with the SID 2039475, which is this one in the main rules file:

alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (snip .ly)"; dns.query; content:""; nocase; bsize:7; classtype:misc-activity; sid:2039475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_10_19, deployment Perimeter, signature_severity Informational, updated_at 2022_10_19;)

As you can see, there is not too much additional information to what is already in the rule, but it is provided in a more accessible JSON format. That could be used to fill some kind of rule database.

1 Like

the SID-Descriptions-ETOpen.json.gz file is added to the general rules /etc/suricata/rules and is specified in the settings

default-rule-path: /var/lib/suricata/rules

It is just informational for someone who wants to annotate alerts by SID. Suricata does not load it, or need it.

You only need to care about the *.rules files.