From fac732fed8e2dba572d23a925ccf7ffe24ecde13 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 25 Sep 2017 20:32:21 +0200
Subject: [PATCH] add intrusion-detection-content-et-pro, for
 https://github.com/opnsense/core/issues/1834

(cherry picked from commit f72a5715a46a39b7bc1e11a7c6f52692adfebee5)
(cherry picked from commit edd4cab039df0cce5e0c249bd3ce9d25097838d0)
(cherry picked from commit 9c00aeb8d412fa58b48a8d96f03fddcb595ee7af)
---
 README.md                                     |  1 +
 .../Makefile                                  |  8 +++
 .../pkg-descr                                 | 14 +++++
 .../suricata/metadata/rules/et-pro.xml        | 57 +++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 security/intrusion-detection-content-et-pro/Makefile
 create mode 100644 security/intrusion-detection-content-et-pro/pkg-descr
 create mode 100644 security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml

diff --git a/README.md b/README.md
index 95daa1033..bfbb22921 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
 security/acme-client -- Let's Encrypt client
 security/clamav -- Antivirus engine for detecting malicious threats
+security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
 security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only for non-commercial use)
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
diff --git a/security/intrusion-detection-content-et-pro/Makefile b/security/intrusion-detection-content-et-pro/Makefile
new file mode 100644
index 000000000..17e899263
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		intrusion-detection-content-et-pro
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		IDS Proofpoint ET Pro ruleset (needs a valid subscription)
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_WWW=		https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
+PLUGIN_DEVEL=		yes
+
+.include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-et-pro/pkg-descr b/security/intrusion-detection-content-et-pro/pkg-descr
new file mode 100644
index 000000000..3d864a321
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/pkg-descr
@@ -0,0 +1,14 @@
+Proofpoint ET Pro is a timely and accurate rule set for detecting
+and blocking advanced threats using your existing network security
+appliances, such as next generation firewalls (NGFW) and network
+intrusion detection / prevention systems (IDS/IPS)
+
+Updated daily and available in SNORT and Suricata formats, ET Pro
+covers more than 40 different categories of network behaviors,
+malware command and control, DoS attacks, botnets, informational
+events, exploits, vulnerabilities, SCADA network protocols, exploit
+kit activity, and more.
+
+LICENSE: https://www.proofpoint.com/us/license
+
+WWW: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
diff --git a/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
new file mode 100644
index 000000000..04b781558
--- /dev/null
+++ b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<ruleset documentation_url="http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
+	<location url="https://rules.emergingthreatspro.com/%%etpro.oinkcode%%/suricata-1.3-enhanced/emerging.rules.tar.gz" prefix="ET Pro"/>
+	<files>
+		<file description="activex" url="inline::rules/activex.rules">et_pro.activex.rules</file>
+		<file description="attack_response" url="inline::rules/attack_response.rules">et_pro.attack_response.rules</file>
+		<file description="botcc" url="inline::rules/botcc.portgrouped.rules">et_pro.botcc.portgrouped.rules</file>
+		<file description="botcc" url="inline::rules/botcc.rules">et_pro.botcc.rules</file>
+		<file description="chat" url="inline::rules/chat.rules">et_pro.chat.rules</file>
+		<file description="ciarmy" url="inline::rules/ciarmy.rules">et_pro.ciarmy.rules</file>
+		<file description="compromised" url="inline::rules/compromised.rules">et_pro.compromised.rules</file>
+		<file description="current_events" url="inline::rules/current_events.rules">et_pro.current_events.rules</file>
+		<file description="deleted" url="inline::rules/deleted.rules">et_pro.deleted.rules</file>
+		<file description="dns" url="inline::rules/dns.rules">et_pro.dns.rules</file>
+		<file description="dos" url="inline::rules/dos.rules">et_pro.dos.rules</file>
+		<file description="drop" url="inline::rules/drop.rules">et_pro.drop.rules</file>
+		<file description="dshield" url="inline::rules/dshield.rules">et_pro.dshield.rules</file>
+		<file description="exploit" url="inline::rules/exploit.rules">et_pro.exploit.rules</file>
+		<file description="ftp" url="inline::rules/ftp.rules">et_pro.ftp.rules</file>
+		<file description="games" url="inline::rules/games.rules">et_pro.games.rules</file>
+		<file description="icmp" url="inline::rules/icmp.rules">et_pro.icmp.rules</file>
+		<file description="icmp_info" url="inline::rules/icmp_info.rules">et_pro.icmp_info.rules</file>
+		<file description="imap" url="inline::rules/imap.rules">et_pro.imap.rules</file>
+		<file description="inappropriate" url="inline::rules/inappropriate.rules">et_pro.inappropriate.rules</file>
+		<file description="info" url="inline::rules/info.rules">et_pro.info.rules</file>
+		<file description="malware" url="inline::rules/malware.rules">et_pro.malware.rules</file>
+		<file description="misc" url="inline::rules/misc.rules">et_pro.misc.rules</file>
+		<file description="mobile_malware" url="inline::rules/mobile_malware.rules">et_pro.mobile_malware.rules</file>
+		<file description="netbios" url="inline::rules/netbios.rules">et_pro.netbios.rules</file>
+		<file description="p2p" url="inline::rules/p2p.rules">et_pro.p2p.rules</file>
+		<file description="policy" url="inline::rules/policy.rules">et_pro.policy.rules</file>
+		<file description="pop3" url="inline::rules/pop3.rules">et_pro.pop3.rules</file>
+		<file description="rbn-malvertisers" url="inline::rules/rbn-malvertisers.rules">et_pro.rbn-malvertisers.rules</file>
+		<file description="rbn" url="inline::rules/rbn.rules">et_pro.rbn.rules</file>
+		<file description="rpc" url="inline::rules/rpc.rules">et_pro.rpc.rules</file>
+		<file description="scada" url="inline::rules/scada.rules">et_pro.scada.rules</file>
+		<file description="scada_special" url="inline::rules/scada_special.rules">et_pro.scada_special.rules</file>
+		<file description="scan" url="inline::rules/scan.rules">et_pro.scan.rules</file>
+		<file description="shellcode" url="inline::rules/shellcode.rules">et_pro.shellcode.rules</file>
+		<file description="smtp" url="inline::rules/smtp.rules">et_pro.smtp.rules</file>
+		<file description="snmp" url="inline::rules/snmp.rules">et_pro.snmp.rules</file>
+		<file description="sql" url="inline::rules/sql.rules">et_pro.sql.rules</file>
+		<file description="telnet" url="inline::rules/telnet.rules">et_pro.telnet.rules</file>
+		<file description="tftp" url="inline::rules/tftp.rules">et_pro.tftp.rules</file>
+		<file description="tor" url="inline::rules/tor.rules">et_pro.tor.rules</file>
+		<file description="trojan" url="inline::rules/trojan.rules">et_pro.trojan.rules</file>
+		<file description="user_agents" url="inline::rules/user_agents.rules">et_pro.user_agents.rules</file>
+		<file description="voip" url="inline::rules/voip.rules">et_pro.voip.rules</file>
+		<file description="web_client" url="inline::rules/web_client.rules">et_pro.web_client.rules</file>
+		<file description="web_server" url="inline::rules/web_server.rules">et_pro.web_server.rules</file>
+		<file description="web_specific_apps" url="inline::rules/web_specific_apps.rules">et_pro.web_specific_apps.rules</file>
+		<file description="worm" url="inline::rules/worm.rules">et_pro.worm.rules</file>
+	</files>
+	<properties>
+		<property name="etpro.oinkcode" default=""/>
+	</properties>
+</ruleset>