Rule format

YAML Rules

Native rule format for OT/ICS detection. Suricata .rules files are also fully supported.

Examples

Modbus Write Detection

rules:
  - sid: 9000001
    msg: "Modbus write to safety-critical registers"
    severity: critical
    protocol: modbus
    flow: established, to_server
    match:
      modbus.function_code: [5, 6, 15, 16]
      modbus.register_address: 0-99
    classtype: ot-safety-violation
    metadata:
      mitre: T0836
      affected_devices: [PLC, RTU]

DNP3 Cold Restart

  - sid: 9000010
    msg: "DNP3 cold restart command"
    severity: critical
    protocol: dnp3
    flow: established, to_server
    match:
      dnp3.function_code: 13
    classtype: ot-device-control

HTTP Content Match

  - sid: 9000100
    msg: "HTTP access to OT web panel"
    severity: medium
    protocol: http
    flow: established, to_server
    content:
      - pattern: "/cgi-bin/config"
        buffer: http.uri
        nocase: true
      - pattern: "admin"
        buffer: http.request_body
    classtype: web-application-attack

Reference

Rule Schema

Field	Type	Description
sid	integer	Unique signature ID (required)
msg	string	Alert message (required)
severity	string	low \| medium \| high \| critical
protocol	string	modbus, dnp3, http, dns, any, tcp, udp, ...
flow	string	established, to_server, to_client, stateless
match	map	Protocol field conditions (field: value)
content	list	Byte pattern matches with buffers
pcre	string	Regular expression (/pattern/flags)
threshold	map	Rate limiting (type, track, count, seconds)
classtype	string	Alert classification

Match Operators

match:
  modbus.function_code: 5              # exact match
  modbus.function_code: [5, 6, 15, 16] # any of (OR)
  modbus.register_address: 0-99        # range (inclusive)
  s7comm.pdu_type: "!1"                # not equal
  bacnet.bvlc_length: ">1024"          # greater than

Content Modifiers

content:
  - pattern: "GUID="
    buffer: http.request_body    # sticky buffer
    startswith: true             # must match at buffer start
    fast_pattern: true           # use for prefilter
    nocase: true                 # case-insensitive
  - pattern: "&BUILD="
    buffer: http.request_body
    distance: 0                  # relative to previous match
  - pattern: "!admin"            # negated (must NOT match)
    buffer: http.uri

Auto-Detection

Place rule files in /etc/intrufend/rules/. The engine auto-detects format by extension:

.yml / .yaml  ->  Intrufend YAML parser
.rules        ->  Suricata-compatible parser

Both formats produce identical detection performance. Zero runtime difference.

Community Rules

All 49,000+ ET-Open community rules are fully supported. Drop .rules files into /etc/intrufend/rules/ or run sudo intrufend-update-rules to download the latest ruleset automatically.