This chapter introduces the functions of the rules in Emerging Threats for Suricata.
ET’s rules are a well-known rule set in the industry, and the download link can be found here. These rules provide firewall and intrusion detection system rules. IDS/IPS rules are mainly in the open directory, including rules for Snort and Suricata. Rule sets like ET aim for comprehensiveness, and many rules may not be necessary for our actual use cases. Additionally, ET, being an American company, often has many rules targeting vulnerabilities on American and other Western websites. This time, we will briefly analyze the Suricata rule set in the ET open rule set.
After downloading the Suricata rule set, you can see that it is divided into many files, as shown in Figure 1: 
Figure 1
The functions of the above rule sets will be introduced one by one, starting with the less commonly used rule sets.
deleted.rules
This rule set is used to store deprecated rules, and you can see that all the rules start with #. By examining this rule set, you can find that many deprecated rules target specific websites. It is likely that once a specific threat on a website is fixed, such rules become obsolete. Therefore, this rule set is generally not needed but can be used to trace past threats.
games.rules
These rules target threats to some well-known games, but in typical production environments, especially IDS/IPS in corporate or government intranets, these rules have a low priority and can be omitted. The number of these rules is usually around a dozen.
inappropriate.rules
These rules generally target adult websites, with very few rules targeting English websites. Categorizing such websites is often not a strong point of IDS; DPI can usually handle this. The main goal of IDS/IPS is to identify threats, so these rules are usually less focused on.
chat.rules
These rules mainly target some chat software, primarily foreign chat software such as MSN, Facebook, Google Talk, and Yahoo IM. In some scenarios abroad, these rules are important, but in domestic environments, such chat software is rarely used. Domestically, more commonly used frameworks or server frameworks like WebLogic and Apache are integrated into many products. Therefore, whether to use these rules depends on the demand.
policy.rules
Policy rules do not have general applicability for common IDS/IPS. By examining these rules, it is found that many are used to check if users have accessed certain websites, such as TikTok, Google Music, and NBC videos. These rules are generally policies for restricting user access to certain sites within enterprises, and which policies to implement is a customized issue. Moreover, recognizing such application services is better done by DPI. Some rules may still be very useful for reference, such as those with classtype not being policy-violation, which can be referenced for custom rules that enterprises often need.
icmp_info.rules
These rules target ICMP, with another file named icmp.rules. By examining the icmp_info.rules file, it is found that many rules are about abnormal ping alerts, such as destination host unreachable or pinging a specific operating system. Generally, abnormal pings are often initial probes by attackers, so IDS can use these rules for preliminary detection. However, abnormal pings are very common in network traffic, so balancing false positives is an important consideration. IPS generally does not use these rules, and it can be seen that the rules in icmp.rules are commented out, possibly due to a high false positive rate. However, when customizing some ICMP rules, these rules can be referenced.
current_events.rules
As the name suggests, these rules target current hot events. By examining this rule set, it is found that these rules are frequently updated. Many rules are for phishing detection, as phishing attacks are low-cost to create. These malicious URLs are generally obtained from specialized threat research institutions for rule creation. Since the rules in this set have a short lifespan, they are generally not recommended for IDS and IPS rules. However, if tracking hot events is necessary, they can be used as a reference. Generally, foreign research institutions are more mature in studying hot threats, so these threats often target foreign websites, such as phishing links for American banks.
web_specific_apps.rules
This category is similar to chat, targeting specific web applications or website vulnerabilities. Like chat, these rules target exploitation methods for some foreign websites. These vulnerabilities arise from business logic flaws in the website’s code. Therefore, this rule set is not recommended for domestic IDS rule sets due to its limited usefulness, as the main goal of enterprise intranet IDS is to protect internal hosts and servers. However, it can be used for reference and learning.
Some IP rule sets
tor.rules,ciarmy.rules,botcc.rules,drop.rules,compromised.rules,botcc.portgrouped.rules,dshield.rules
These rules describe threatening IP addresses, and it can be seen that the rev field of these rules is very high, indicating that these IP addresses are frequently updated. Where do these threatening IP addresses come from? For example, ciarmy.rules are marked by ciArny.com as attack sources; dshield.rules are marked by DShield as attack sources; botcc refers to some well-known botnet and C&C server addresses. Generally, IDS/IPS targets traffic behavior recognition, and such IP address rules are often placed in reputation-based modules within security companies. However, if not divided so finely, some IP address rules can also be added to IDS/IPS, as these rules do not significantly impact performance. The following rule sets are generally important, and I have categorized them as follows:
- Rules classified by threat
- Rules classified by network protocol
- Other rules
Rules classified by threat
Trojans, malware, worms, SQL injection, port scanning, shellcode, DoS attacks, DNS attacks, email services, etc., corresponding rule set names are
trojan.rules, malware.rules, mobile_malware.rules, worm.rules, sql.rules, scan.rules, shellcode.rules, dos.rules, dns.rules, smtp.rules, pop3.rules, imap.rules
The trojan.rules rule set is the largest rule set provided by ET, targeting Trojan activity detection. Trojan activity may involve transmitting a Trojan file over the network, traffic characteristics of Trojan tools, or some preparatory actions before the Trojan runs. Due to the large size of this rule set, representative rules can be selected based on keywords like CVE. Similarly, malware.rules and mobile_malware.rules target non-mobile and mobile malware detection, respectively. Other rule sets are easily distinguishable by their names and can be filtered based on the actual deployment environment. This type of classification based on attack types is common in the industry, and if an attack does not have a specific classification, it is generally categorized as an exploit.
exploit.rules
As the name suggests, this rule set mainly identifies rules for exploitation methods, often corresponding to specific vulnerabilities. It can be seen that the rules in this set have corresponding CVE numbers. If there is no specific CVE number, it is generally the behavior of some exploitation tools. This is a mixed bag, and rules that are difficult to classify are usually placed in this set.
Additionally, ET also categorizes rules into server-side and client-side. This classification may conflict with the previous one, but it has the obvious benefit of allowing rule writers to better choose which file a rule belongs to, facilitating rule filtering for users.
web_server.rules
This rule set targets threats to web servers, not specific website threats. It targets general web server attack behaviors, such as file upload vulnerabilities, file inclusion vulnerabilities, and XSS vulnerabilities. For example, some PHP websites may have file inclusion vulnerabilities, and the exploitation methods for these vulnerabilities are fixed. These fixed methods are summarized into rules, such as:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=file|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)Generally, if the corresponding detection is deployed at the gateway, this rule set is very important. However, it should be noted that such detections may cause some false positives for normal access, so for IPS, it may be necessary to consider trimming or enhancing the rules.
web_client.rules, attack_response.rules
Similarly, this rule set targets client-side threat detection. For servers, the threats aim at privilege escalation and information leakage, while for clients, the threats cause client software crashes and some information leakage, such as XSS.
Rules classified by protocol
Specifically include:
rpc.rules, tftp.rules, ftp.rules, snmp.rules, icmp.rules, p2p.rules, voip.rules, telnet.rules, netbios.rules
The attack methods associated with these protocols are relatively numerous, so a separate rule set is formed for each protocol. The meaning of each rule set should be easily understood by their names.
Other rules
scada.rules, scada_special.rules, misc.rules, user_agents.rules, attack_response.rules
SCADA is a rule set for industrial control software threat interception, user_agents is for collecting UA with protocol threats, and misc rules are for intercepting mixed threat traffic.
Generally, for enterprise IDS rules, the following aspects can be considered:
1. For clients, intercept vulnerabilities in the Windows family of software, including the Windows operating system, Office series, IE series, PDF series, etc. 2. For servers, including Java frameworks and servers, Python frameworks, databases, and other common general vulnerabilities, such as WebLogic, Apache, MySQL, etc. 3. Common threat types nowadays, such as webshell, brute force attacks, file uploads, RCE, SQL injection, etc., can refer to CWE.
The above is my personal understanding of IDS/IPS rules.