Community Rules (version 12.0 and later)

Update Schedule

The Update Schedule is used to configure the schedule used for updating from the configured community rule sources.

Schedule: What type of schedule to use to update from the community rules sources: Never, Daily, Weekly, or Monthly.

Hour: During what hour to update the sources. This is applicable for daily, weekly, and monthly schedules.

Day Of Week: On What day of the week to update the sources. This is applicable for the weekly schedules.

Day Of Month: On What day of the month to update the sources. This is applicable for the monthly schedules.

IDS/IPS Community Sources

The IDS/IPS Community Sources section is used to configure the sources from which the rules will be retrieved during updates.  The default source is et/open and all enabled rules are set to an alert action.

To add a new source click Add New Source.

To delete a source, click the Select checkbox for the associated row and click Delete.

To enable a source, click the Select checkbox for the associated row and click Enable.

To disable a source, click the Select checkbox for the associated row and click Disable.

To view the rules associated to source rules click either Export or View. The rules displayed here are the original downloaded rules. These are not the rules to look at to see the final result after the default action, categories, and signature actions are applied. To view what the final rules look like click on View Rules.

IDS/IPS Community Categories

The IDS/IPS Community Categories section is used to apply settings to all of the rules contained in a category. These category actions are applied to the matching rules downloaded from the IDS/IPS Community Sources.

To add a new category click Add New Category.

To delete a category, click the Select checkbox for the associated row and click Delete.

To enable a category, click the Select checkbox for the associated row and click Enable.

To disable a category, click the Select checkbox for the associated row and click Disable.

To view the rules associated to a category click either Export or View.

Category Settings

Name: Enter a name for the IDS/IPS category.

Action: Configure the action for the category. This will apply to all rules matched by the category.

• enable: The associated rules matching the category will be enabled. This is useful if there are rules that the community source marked as disabled and the user wants them to be enabled.
• disable: The associated rules matching the category will be disabled. This is useful if there are rules that are generating too many alerts for your traffic.
• drop: The associated rules matching the category will be set to drop.
• alert: The associated rules matching the category will be set to alert.
• reject: The associated rules matching the category will be set to reject.

Class/Filename: Select a classtype or filename to match on.

• Class: Select the classtype of the rule definition to match on. This selects all rules from all configured ruleset sources which use the specified classtype.
• File: Select a filename to match on. This selects all rules from a particular file within a ruleset source. See the Et/Open Files section for descriptions of files from that source.

Pattern: Optionally enter a string to further match within a rule definition.

Apply to Disabled Rules: When checked the category will also enable and apply the action to the associated rules that were initially disabled by the community rule sources.

IDS/IPS Community Categories Examples

By default all rules in the downloaded et/open rule set have their action set to Alert.  Some rules are also disabled by default which is denoted by a # symbol before the rule.  The categories added to the IDS/IPS Community Categories section allow changing the action of all the rules in the category.  Some possible uses of these categories are to:

• Disable all of the rules in a category so they do not generate alerts
• Change the actions of all of the rules in a category such as from the default, Alert, to Drop or Reject
• Enable all of the rules in a category that are disabled by default

For this Classtype example, to change the action of all rules in the "Not Suspicious Traffic" category from Alert to Disable the following category would be added:

For this Filetype example, to change the action of rules in the "emerging-games.rules" from Alert to "Drop", you would need to add this category rule:

Et/Open Files

The Emerging Threats Open ruleset groups similar rules into a single file. The following is a list of filenames and descriptions of the rules contained within.

• 3coresec.rules: 3CORESec blacklist IP rules
• botcc.rules: Bot Command and Control IP rules
• botcc.portgrouped.rules: Bot Command and Control rules grouped by port
• ciarmy.rules: Collective Intelligence Network Security IP rules
• compromised.rules: Known compromised hosts
• drop.rules: Spamhaus Don't Route or Peer list
• dshield.rules: Dshield Identified attackers
• emerging-activex.rules: Rules for ActiveX attacks and vulnerabilities
• emerging-attack_response.rules: Rules to detect traffic indicative of an intrusion
• emerging-chat.rules: Rules for chat/instant messaging traffic
• emerging-current_events.rules: Rules for active and short-lived exploits
• emerging-deleted.rules: Rules which are staged to be removed from et/open
• emerging-dns.rules: Rules for DNS-based attacks
• emerging-dos.rules: Rules for potential DOS activity
• emerging-exploit.rules: Rules for general exploits
• emerging-ftp.rules: Rules for detecting attacks related to FTP
• emerging-games.rules: Rules for video games - general usage and attacks
• emerging-icmp_info.rules: Rules for detecting basic ICMP activity
• emerging-icmp.rules: Rules for attacks and detecting basic ICMP activity
• emerging-imap.rules: Rules for attacks regarding the IMAP protocol
• emerging-inappropriate.rules: Rules for detecting pornography
• emerging-info.rules: Rules for detecting suspicious traffic
• emerging-malware.rules: Rules for detecting malware
• emerging-misc.rules: Rules for detecting miscellaneous attacks and suspicious traffic
• emerging-mobile_malware.rules: Rules for detecting malware specific to mobile platforms
• emerging-netbios.rules: Rules for detecting attacks related to Netbios
• emerging-p2p.rules: Rules for detecting attacks and basic P2P activity
• emerging-policy.rules: Rules for detecting particular applications - Dropbox: Google Drive: etc
• emerging-pop3.rules: Rules for attacks and detecting basic POP3 activity
• emerging-rpc.rules: Rules for attacks and detecting basic RPC activity
• emerging-scada.rules: Rules for attacks and detecting basic SCADA activity
• emerging-scan.rules: Rules for detecting portscanning
• emerging-shellcode.rules: Rules for detecting remote shell execution
• emerging-smtp.rules: Rules for attacks and detecting basic SMTP activity
• emerging-snmp.rules: Rules for attacks and detecting basic SNMP activity
• emerging-sql.rules: Rules for attacks and detecting basic SQL activity
• emerging-telnet.rules: Rules for attacks and detecting basic TELNET activity
• emerging-tftp.rules: Rules for attacks and detecting basic TFTP activity
• emerging-trojan.rules: Rules for detecting malicious software
• emerging-user_agents.rules: Rules for detecting suspicious user agent strings
• emerging-voip.rules: Rules for attacks and detecting basic VOIP activity (SIP: RTP: etc)
• emerging-web_client.rules: Rules for client-side web attacks
• emerging-web_server.rules: Rules for server-side web attacks
• emerging-web_specific_apps.rules: Rules for attacks tied to specific web applications
• emerging-worm.rules: Rules for detecting network worm activity
• tor.rules: Rules for detecting TOR traffic