{"id":13844607,"url":"https://github.com/al0ne/suricata-rules","last_synced_at":"2026-02-18T20:10:35.264Z","repository":{"id":42227442,"uuid":"148616947","full_name":"al0ne/suricata-rules","owner":"al0ne","description":"Suricata IDS rules 用来检测红队渗透/恶意行为等，支持检测CobaltStrike/MSF/Empire/DNS隧道/Weevely/菜刀/冰蝎/挖矿/反弹shell/ICMP隧道等","archived":false,"fork":false,"pushed_at":"2023-07-08T08:10:42.000Z","size":210,"stargazers_count":1238,"open_issues_count":0,"forks_count":304,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-10-19T16:23:58.397Z","etag":null,"topics":["ids","security","signatures","suricata","suricata-rule"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/al0ne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2018-09-13T09:45:29.000Z","updated_at":"2025-10-16T03:37:53.000Z","dependencies_parsed_at":"2024-04-12T16:55:09.451Z","dependency_job_id":"7c8afc30-4ac6-444c-99bd-12b900cf7de0","html_url":"https://github.com/al0ne/suricata-rules","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/al0ne/suricata-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fsuricata-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fsuricata-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fsuricata-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fsuricata-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/al0ne","download_url":"https://codeload.github.com/al0ne/suricata-rules/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fsuricata-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29594242,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T18:54:29.675Z","status":"ssl_error","status_checked_at":"2026-02-18T18:50:50.517Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ids","security","signatures","suricata","suricata-rule"],"created_at":"2024-08-04T17:02:48.062Z","updated_at":"2026-02-18T20:10:35.219Z","avatar_url":"https://github.com/al0ne.png","language":null,"funding_links":[],"categories":["Others","LLM分析过程"],"sub_categories":[],"readme":"# suricata-rules\n\tSuricata是一个优秀的开源入侵检测系统，此项目记录安全运营人员提取的高质量Suricata IDS规则,欢迎大家提交。 \n\n## 规则编写要求如下\n每个规则对应新建目录如下\n\n\twebshell检测\t#规则目录名称-按照对应检测规则描述清楚即可\n\t- webshell.pcap\t#规则对应的pcap包，尽量以flow的形式保存\n\t- websehll.rules\t#自己提取的规则文件，尽量测试过提交。\n\t- README\t#可以描述一些规则相关的东西，便于他人理解，支持Markdown\n\n### 规则目录\n\t目录以单个CVE，黑客工具，威胁类型来命名，如果有对应规则目录，建议存放至已有规则目录中。\n\n### 规则对应pcap包\n\t规则对应的pcap通过Wireshark筛选后，利用菜单文件--保存特定分组--选择pcap格式上传。\n\t便于识别恶意流数据，也是最小的，便于移动和备份\n\n### 规则.rules\n\t规则文件命名随意，但后缀必须为rules，如：webshell_caidao.rules\n\t文件中可以出现多个规则文件，README备注中写明\n规则内容建议如下：\n#### 示例\n\tsid类型：\n\t0~1000000   Sourcefire VRT 保留\n\t2000001~2999999     EMerging Threats(ET)\n\t3000000~3999999     公用\n\t网络扫描    3000000～3000999\n\t暴力破解    3001000～3001999\n\t漏洞利用    3002000～3002999\n\t后门链接    3003000～3003999\n\tWebShell    3004000～3004999\n\t病毒木马    3005000～3005999\n\t间谍软件    3006000～3006999\n\t安全认证    3007000～3007999\n\t代码执行    3008000～3008999\n\t文件还原    3009000～3009999\n\t文件传输    3010000～3010999\n\t可疑DNS     3011000～3011999\n\tHTTP请求    3012000～3012999\n\t恶意行为    3013000～3013999\n\t违规操作    3014000～3014999\n\t敏感信息泄漏    3015000～3015999\n\t黑客工具    3016000～3016999\n\t挖矿    3017000～3017999\n\trev为规则版本每次修改递增，metadata添加创建日期与创建人\n\treference为引用来源/参考资料，例如某CVE编号，或者修复方案，攻击说明等。\n\talert http any any -\u003e any any (msg:\"webshell_caidao_php\"; flow:established; content:\"POST\";\n    http_method; content:\".php\"; http_uri; content:\"base64_decode\"; http_client_body;  sid:3004001; \n    rev:1; metadata:created_at 2018_11_14, by al0ne;)\n\n# 注\n本项目根目录文件说明\n\n\tsuricata-ids.rules\t#所有规则的集合，更新时直接下载规则文件替换。\n\tdisable.conf\t#分析过程中记录Suricata禁用规则(无效、误报等情况)\n\tsid.txt \t#记录了所有规则的sid 避免重复，每次添加规则后必须更新sid.txt文件。\n\n# 致谢\n项目主要参与人员\n- **al0ne (https://github.com/al0ne)**\n- **Charmly  (https://github.com/Charm1y)**\n- **lrvy (https://github.com/lrvy)**\n- **KudinovKV (https://github.com/KudinovKV)**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Fsuricata-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fal0ne%2Fsuricata-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Fsuricata-rules/lists"}