[Emerging-Sigs] The New Rulesets are Ready!!

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Oct 9 12:39:13 EDT 2010

Thanks to all for your patience, and to everyone who's chipped in to help do this work. It's been about 4 months of converting and testing, but we FINALLY have the open ruleset all ready to re-launch. 

The updated rules can be found at:


For this conversion to 2.8.4, 2.8.6, and suricata we've ingested the old Snort GPL rules (sid 3464 and prior) to convert as well as some of the valuable community sigs in order to keep complete coverage on older platforms. They'll no longer be available from VRT in 2.8.6 and prior, so we're doing so here.

All have been converted and tweaked to provide a more complete ruleset. But of course if you're staying with VRT as your primary ruleset and want to add the ET Open rules you'll have GPL sid duplication. So to make it possible for you to choose to stay with VRT we have provided a version of the ruleset that does NOT contain the GPL or community rules that would overlap. We will support this for the long term, so if you do choose to stay with VRT please continue to use the free ET rules! 

Some notes:
1. The rules.emergingthreats.net dns name is a round robin to a couple of servers now, and we'll be adding a few more over time. So we won't have the bandwidth crush issues when we would publish on the old systems.

2. The old ruleset at www.emergingthreats.net/emerging.rules.tar.gz / zip will remain there, but they WILL NOT BE UPDATED ANY FURTHER. In a couple of weeks, based on feedback, we may set up a redirect to the snort-2.8.4 tarball so we don't lose a lot of automated sensors out there updating on their own. The problem is though that the filenames inside the tarball have changed to reflect our full use of categories. 

3. The open rulesets retain the file naming convention emerging-<category>.rules. (The et pro rules do not have emerging- to avoid confusion) We have added a lot of categories though, so check the included emerging.conf to make sure you're including all you want to run.

4. You must choose your platform. 2.8.4 is where the rulesets USED to be. No http_*, file_data, fast_pattern, etc. While 2.8.4 did support some of the http_* functions, the 2.8.6 version of the ruleset is the first that we've brought all of this together. 

5. Snort 2.4 support will be available soon, as will snort 2.9.0. Keep an eye out for both in the open and pro rulesets! 

6. The version file at http://rules.emergingthreats.net/version.txt will continue to be updated and picks up from where we were, no rollback. We encourage you to use that file to sense when your scripts need to pull an update! The old files that were for the compromised list, rbn list, and dshield rev won't be continued. They all incremented at the same time, and will continue to, so we're just going to rely on the master version counter if no one objects. 

I'll get the backlog of sigs sent to the list committed. We will continue to update the ruleset as often as possible. Likely we'll settle into a once a day update cycle. No less than that for sure!

Thanks again to everyone for your patience. Please grab the new tarball, beat it up. I am CERTAIN we have mistakes in there because my hands have been in it, so please let me know!!


Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list