Skip to content

Detection Rules

Introduction

To enhance existing statically defined rules, NETALERT supports integrating third-party rules into its detection engine.

This module enables NETALERT to be interconnected with Threat Intelligence (TI) solutions for automatic rule downloads, ensuring up-to-date threat detection.

Supported Rule Types and Methods:

  • Snort Compatible List (txt, one per line, files with *.rules extension)
  • Snort Compatible List (tar.gz, list of files)
  • Classic Threat Intelligence IP List (IP list, one per line)
  • CQ Threat Intelligence

  • Mining Nodes (IP, one per line)

  • TOR Exit Nodes (IP, one per line)

  • DDNS (IP/Server, one per line)
  • BANNED DNS (IP/Server, one per line)
  • BANNED SMTP (IP/Server, one per line)
  • IOC IP (IP, one per line)
  • IOC Domain (Domain, one per line)

When these integrations are enabled, NETALERT downloads and updates rule lists daily from the configured feeds:

  • CYBERQUEST Threat Intelligence and Classic Threat Intelligence IP lists – Retrieved data is added to the IOC (Indicators of Compromise) IP list.
  • Snort-compatible rules – Downloads the necessary rule sets and integrates them into the detection engine.

Snort compatible rule example:

alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13; )

NETALERT currently supports the alert ip type rules. More detection types will be added in future releases.

When configured to download a .tar.gz rule archive, NETALERT automatically extracts the resulting archive, concatenates the extracted rules into a single comprehensive ruleset, and added to the detection engine.

Access Detection Rules

To access Detection Rules, navigate to Administration > Detection Rules, and the page will open.

Alt Image

Adding a New Detection Rule

To add a new detection rule, click the "Add Detection Rule" button. In this example an administrator wants to add a detection rule to automatically download and integrate a list of compromised IPs from an external source into the NETALERT detection engine.

  • NETALERT will regularly fetch the compromised IPs list from the specified URL.
  • The downloaded Snort-compatible rules will be added to the detection engine.
  • Alerts will be triggered for network traffic matching the compromised IP addresses in the list.

Alt Image

  • Name – A descriptive name for the detection rule.

  • URL – The source URL from which the rule data will be downloaded.

  • Type – Select the appropriate rule type from the dropdown list.

After creating a new Detection Rule, the following management actions become available:

  • Edit – Allows modification of the rule’s details, such as its name, URL, or type.
  • Activate/Deactivate – Enables or disables the rule without deleting it.
    • Active: The rule is in use, and NETALERT regularly fetches and applies updates.
    • Inactive: The rule remains stored but is not processed or updated.
  • Delete – Permanently removes the detection rule from the system.

Detection rules in NETALERT can be added from various sources to enhance threat detection. These rule types include:

Rule Type Description
Snort Compatible List (txt, one per line) A plain text file containing Snort rules, with each rule written on a separate line. Used for defining packet inspection rules based on network traffic patterns.
Snort Compatible List (tar.gz, list of files) A compressed archive containing multiple Snort rule files. The system extracts and merges them into a single ruleset for the detection engine.
Classic Threat Intelligence IP List (IP list, one per line) A simple list of IP addresses, each on a separate line.
Used for blocking or monitoring known malicious IPs.
CQ Threat Intelligence Integrates CYBERQUEST Threat Intelligence, a proprietary threat intelligence feed. Provides real-time updates on suspicious IPs, domains, and indicators of compromise (IOCs).
Mining Nodes (IP, one per line) A list of known cryptocurrency mining nodes, formatted as one IP per line. Helps in detecting unauthorized mining activities within a network.
TOR Exit Nodes (IP, one per line) A list of exit nodes from the TOR (The Onion Router) network. Used to identify traffic originating from anonymized sources.
DDNS (IP/Server, one per line) A list of Dynamic DNS (DDNS) hosts or IP addresses. Helps in monitoring domains frequently changing their IPs, which may indicate malicious intent.
BANNED DNS (IP/Server, one per line) Contains a list of banned DNS servers or IPs that should not be accessed within the network. Helps prevent connections to known malicious or unauthorized DNS servers.
BANNED SMTP (IP/Server, one per line) Lists banned SMTP servers or IPs used for email communication. Useful for blocking known spam servers, preventing phishing attempts, or restricting outbound email traffic.
IOC IP (IP, one per line) Includes a list of IPs flagged as Indicators of Compromise (IOC). Used to detect and block traffic from known malicious sources, including botnets, malware servers, or attackers.
IOC Domain (Domain, one per line) Contains domains associated with threats or compromise. Helps detect and prevent access to phishing sites, malware distribution domains, or command-and-control (C2) servers.