New IPS rule category showed up

trish · 8 February 2022 06:59

I noticed a new Suricata rule
on the bottom of the ET Community ruleset

threatview_CS_c2.rules

The category was UNchecked, if you click “show”
it shows the following rules

ET Threatview.io High Confidence Cobalt Strike C2 IP group 1
ET Threatview.io High Confidence Cobalt Strike C2 IP group 2

dark0ipfire · 8 February 2022 10:50

Thank you for the hint, activated on my box!

pmueller · 8 February 2022 19:02

Hi,

yes, the Emerging Threat folks seem to do that by default.

It is a wise decision, since one size never fits all. While these rules should not generate any false positive or other harm, they might be unwanted or unnecessary in some scenarios (such as internal networks without any internet connectivity).

Therefore, it is a good idea to check for new IPS rule categories every now and then.

Thanks, and best regards,
Peter Müller

manfred_knick · 10 February 2022 11:07

FYI:
Running “Talos VRT rules with subscription”,
I could not identify them in today’s
. . . . . ## Ruleset (2022-02-10 01:25:40)
yet.