Emerging Threats Rule Documentation Wiki
This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author, if available, is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact email@example.com
and it can be archived privately, available to any vetted researcher.
Last 50 Signature Changes
Want some guidance on using the Emerging Threats Rulesets for the first time? NewUserGuide
Some tips on writing rules? SuricataSnortSigs101
Tips on what to add to your local ruleset that's not in the main rulesets: WhatEveryIDSUserShouldDo
Feature development discussions around the Open Information Security Foundation's new projects! ( http://www.openinfosecfoundation.org
All additions will be reviewed by the documentation team at Emerging Threats, a volunteer group. Please report any inaccuracies or wikispam to firstname.lastname@example.org.
To post please register. -- Registration
Follow documentation updates via WebRss
All rules are available by accessing the following URL format:
As a rule is changed the new revision will automatically be placed above the old rule and old comments with an Auto-Added timestamp. This should allow a conversation to be relevant to the revision of the rule at the time. Please post "Yes, that fixed it" comments if a new revision fixes an older issue.
Within each signature entry there is a form to place a comment, suitable for short entries or questions about a rule. For larger posts or formal documentation please use the edit function and place the information below other content. You can use most html tags, recommend using PRE tags with code or packet text to keep it formatted as intended.
Signature authors are informally responsible for initial documentation where necessary. However ANY user may post information they have to contribute, and please do.
Documentation need not be formal. Links to POC code, vulnerability alerts, even mailing list conversations may be added to the rule's documentation. More information is definitely best. The Emerging Documentation team will review and reformat things as required over time.
See the EmergingFAQ