From f72a5715a46a39b7bc1e11a7c6f52692adfebee5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 25 Sep 2017 20:32:21 +0200
Subject: [PATCH] add intrusion-detection-content-et-pro, for
 https://github.com/opnsense/core/issues/1834

---
 .../Makefile                                  |  7 +++
 .../pkg-descr                                 |  2 +
 .../pkg-plist                                 |  8 +++
 .../suricata/metadata/rules/et-pro.xml        | 57 +++++++++++++++++++
 4 files changed, 74 insertions(+)
 create mode 100644 security/intrusion-detection-content-et-pro/Makefile
 create mode 100644 security/intrusion-detection-content-et-pro/pkg-descr
 create mode 100644 security/intrusion-detection-content-et-pro/pkg-plist
 create mode 100644 security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml

diff --git a/security/intrusion-detection-content-et-pro/Makefile b/security/intrusion-detection-content-et-pro/Makefile
new file mode 100644
index 000000000..34af52c26
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		intrusion-detection-content-et-pro
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		IDS Proofpoint ET Pro ruleset (needs a valid subscription)
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_WWW=		https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
+
+.include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-et-pro/pkg-descr b/security/intrusion-detection-content-et-pro/pkg-descr
new file mode 100644
index 000000000..8c7e58b10
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/pkg-descr
@@ -0,0 +1,2 @@
+Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, 
+such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS)
\ No newline at end of file
diff --git a/security/intrusion-detection-content-et-pro/pkg-plist b/security/intrusion-detection-content-et-pro/pkg-plist
new file mode 100644
index 000000000..bb6cd82c6
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/pkg-plist
@@ -0,0 +1,8 @@
+Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, 
+such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS). 
+Updated daily and available in SNORT and Suricata formats, ET Pro covers more than 40 different categories of network behaviors, 
+malware command and control, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.
+
+LICENSE: https://www.proofpoint.com/us/license
+
+WWW: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
diff --git a/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
new file mode 100644
index 000000000..337e5439e
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<ruleset documentation_url="http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
+	<location url="https://rules.emergingthreatspro.com/%%etpro.oinkcode%%/suricata-1.3-enhanced/emerging.rules.tar.gz" prefix="ET Pro"/>
+	<files>
+		<file description="activex" url="inline::rules/activex.rules">et_pro.activex.rules</file>
+		<file description="attack_response" url="inline::rules/attack_response.rules">et_pro.attack_response.rules</file>
+		<file description="botcc" url="inline::rules/botcc.portgrouped.rules">et_pro.botcc.portgrouped.rules</file>
+		<file description="botcc" url="inline::rules/botcc.rules">et_pro.botcc.rules</file>
+		<file description="chat" url="inline::rules/chat.rules">et_pro.chat.rules</file>
+		<file description="ciarmy" url="inline::rules/ciarmy.rules">et_pro.ciarmy.rules</file>
+		<file description="compromised" url="inline::rules/compromised.rules">et_pro.compromised.rules</file>
+		<file description="current_events" url="inline::rules/current_events.rules">et_pro.current_events.rules</file>
+		<file description="deleted" url="inline::rules/deleted.rules">et_pro.deleted.rules</file>
+		<file description="dns" url="inline::rules/dns.rules">et_pro.dns.rules</file>
+		<file description="dos" url="inline::rules/dos.rules">et_pro.dos.rules</file>
+		<file description="drop" url="inline::rules/drop.rules">et_pro.drop.rules</file>
+		<file description="dshield" url="inline::rules/dshield.rules">et_pro.dshield.rules</file>
+		<file description="exploit" url="inline::rules/exploit.rules">et_pro.exploit.rules</file>
+		<file description="ftp" url="inline::rules/ftp.rules">et_pro.ftp.rules</file>
+		<file description="games" url="inline::rules/games.rules">et_pro.games.rules</file>
+		<file description="icmp" url="inline::rules/icmp.rules">et_pro.icmp.rules</file>
+		<file description="icmp_info" url="inline::rules/icmp_info.rules">et_pro.icmp_info.rules</file>
+		<file description="imap" url="inline::rules/imap.rules">et_pro.imap.rules</file>
+		<file description="inappropriate" url="inline::rules/inappropriate.rules">et_pro.inappropriate.rules</file>
+		<file description="info" url="inline::rules/info.rules">et_pro.info.rules</file>
+		<file description="malware" url="inline::rules/malware.rules">et_pro.malware.rules</file>
+		<file description="misc" url="inline::rules/misc.rules">et_pro.misc.rules</file>
+		<file description="mobile_malware" url="inline::rules/mobile_malware.rules">et_pro.mobile_malware.rules</file>
+		<file description="netbios" url="inline::rules/netbios.rules">et_pro.netbios.rules</file>
+		<file description="p2p" url="inline::rules/p2p.rules">et_pro.p2p.rules</file>
+		<file description="policy" url="inline::rules/policy.rules">et_pro.policy.rules</file>
+		<file description="pop3" url="inline::rules/pop3.rules">et_pro.pop3.rules</file>
+		<file description="rbn-malvertisers" url="inline::rules/rbn-malvertisers.rules">et_pro.rbn-malvertisers.rules</file>
+		<file description="rbn" url="inline::rules/rbn.rules">et_pro.rbn.rules</file>
+		<file description="rpc" url="inline::rules/rpc.rules">et_pro.rpc.rules</file>
+		<file description="scada" url="inline::rules/scada.rules">et_pro.scada.rules</file>
+		<file description="scada_special" url="inline::rules/scada_special.rules">et_pro.scada_special.rules</file>
+		<file description="scan" url="inline::rules/scan.rules">et_pro.scan.rules</file>
+		<file description="shellcode" url="inline::rules/shellcode.rules">et_pro.shellcode.rules</file>
+		<file description="smtp" url="inline::rules/smtp.rules">et_pro.smtp.rules</file>
+		<file description="snmp" url="inline::rules/snmp.rules">et_pro.snmp.rules</file>
+		<file description="sql" url="inline::rules/sql.rules">et_pro.sql.rules</file>
+		<file description="telnet" url="inline::rules/telnet.rules">et_pro.telnet.rules</file>
+		<file description="tftp" url="inline::rules/tftp.rules">et_pro.tftp.rules</file>
+		<file description="tor" url="inline::rules/tor.rules">et_pro.tor.rules</file>
+		<file description="trojan" url="inline::rules/trojan.rules">et_pro.trojan.rules</file>
+		<file description="user_agents" url="inline::rules/user_agents.rules">et_pro.user_agents.rules</file>
+		<file description="voip" url="inline::rules/voip.rules">et_pro.voip.rules</file>
+		<file description="web_client" url="inline::rules/web_client.rules">et_pro.web_client.rules</file>
+		<file description="web_server" url="inline::rules/web_server.rules">et_pro.web_server.rules</file>
+		<file description="web_specific_apps" url="inline::rules/web_specific_apps.rules">et_pro.web_specific_apps.rules</file>
+		<file description="worm" url="inline::rules/worm.rules">et_pro.worm.rules</file>
+	</files>
+	<properties>
+		<property name="etpro.oinkcode" default=""/>
+	</properties>
+</ruleset>
\ No newline at end of file