ET COMPROMISED Known Compromised or Hostile Host Traffic group 17

[Meg]

Hello. I am new to using suricata and et rulesets and trying to figure a few things out. Can anybody explain to me what the numbers mean for the traffic groups in the ET alerts? I don't seem to see anything online explaining this. Eg. Hostile Host Traffic group 8, Hostile Host Traffic group 17,  Hostile Host Traffic group 18.

Thanks in advance.

[jonny5]

Some of the rules/sids from some of these Rule groups are merely IOCs (Indicators of Compromise) and the rule hit (event) is that IP/IOC (sometimes it is a file hash / email / FQDN / TLD) interacting with one of your hosts or your perimeter.

The rule authors will take events from known TP (True Positive) events and make rules involving them, likely they can ignored unless they are very high and dealing with an internal IP (verses your external IP only). Sometimes you can see these events with some frequency if someone is using P2P or using Onion/TOR - but with the scanners/bots out there, you will see them with some frequency on just your Public IP (IPv4/IPv6).

Example:

Code Select Expand

root@opnsense:~ # grep 'Known Compromised' /usr/local/etc/suricata/opnsense.rules/*.rules | tail -n 1
alert ip [84.247.153.0,85.208.253.90,85.226.230.194,85.30.153.126,86.2.44.66,86.86.210.11,87.106.177.211,87.120.114.139,87.139.32.204,88.151.32.81,88.156.95.5,88.170.164.47,88.198.89.53,88.218.78.229,89.101.28.237,89.185.85.121,89.22.234.64,89.39.121.161,91.121.165.11,91.149.219.221,91.151.95.24,91.227.62.22,91.227.62.23,92.255.57.132,92.255.85.107,92.255.85.253,92.48.204.15,93.123.85.192,93.126.53.41,93.67.149.144] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:7113; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2024_12_20;)
To that end, unless the threat actor group (APT and then a number or sometimes a phonetic name) is mentioned the group number has no meaning AFAIK.

[Meg]

Thanks for the explanation on my question.