Emerging-trojan.rules vanished

Hello everybody,
in my IPS I am using the Emerging Threats community rules. When checking the newly downloaded ruleset I realised that emerging-trojan.rules were missing.
Can I download these rules manually and copy them in the folder /var/lib/suricata ?
Should your answer be ‘yes’, is it guaranteed when downloading next time they are contained in the new ruleset?
Thank you for your assist in advance :slight_smile:
Cheers, Pierre


Looks like proofpoint has removed the trojan group or moved to the commercial pro ruleset.

Hi Arne,
it’s not correct, what you wrote. I have registered to the mailing list for Emerging updates.
As of 11/02/2021 I received these news:
Here you’ll find the according archive entry:

I still don’t know, whether I can download the missing rules manually and paste them in the appropriate folder.


Am I the only one with this problem?

Looks like they disappeared for me as well.

If you find out anything more please do let us know.


Hi @anon4944014

So I had a look at the code for getting the rules and found the url to get the community rules. I downloaded the tarball from that url and had a look in it and the emerging-trojan.rules rule is missing from it.

I then went to the emergingthreats.net website and found the rules and had a look at them. There are two directories of community rules one for suricata-4.0 and one for suricata-5.0

IPFire downloads the rules from suricata-5.0 This set no longer has the emerging-trojan.rules in it.
The suricata-4.0 set still has the emerging-trojan.rules in it.

You need to contact emergingthreats.net to find out why the rule was removed from the suricata-5.0 directory set and if it can be returned.


@bonnietwin … thanks for the follow-up.

Hi all,
today I sent a mail concerning this topic to proofpoint and emergingthreats as well. I wonder whether I shall get a reply. I keep you informed.
Excuse me please, I have not resarched accurately enough. My statement in posting No.3 was not correct.
Cheers, Pierre

today morning I received a reply from proofpoint. Here ist the most interesting part:

The “Trojan” category has been renamed to “Malware” in our Suricata 5 ruleset. For example, you will find SID 2031615 here, in our Suricata 5 ET OPEN set: https://rules.emergingthreatspro.com/open/suricata-5.0/rules/emerging-malware.rules

The daily notification is automatically generated from our Suricata 4 rule release, so it still has the ‘older’ category reference. I understand this is confusing and we’re working to make that change.

I think it is the solution for us.
Cheers, Pierre


Thanks @anon4944014.
I taked a look to malware section, and actually it’s huge.


1 Like

Thanks @anon4944014!!!