ET PRO Ruleset in OSSIM


If you own an ET Pro Ruleset License, is it possible to use that ruleset with OSSIM?  If so, what's the best way?


  • Hi sdsponger,

    Can you please tell me why you are wanting to use third party rule sets instead of the 3000+ rule sets that come with USM? If you try and import rules from a third party you will create duplicate rules and will fill up your database which will cripple USM. You can customize preconfigured NIDS rules and read about it here: https://www.alienvault.com/documentation/usm-appliance/ids-configuration/customizing-alienvault-nids-rules.htm

  • I understand that if you are using OSSIM and not USM why you would want to use the ET Pro Ruleset.  USM used the ET Pro ruleset already, so if you have a USM license then no need to do anything else.  If you are using OSSIM then yes you can use you ET Pro subscription.  You just need to script out using one of various options out there to download the ruleset.  Then just modify you rule-files.yaml file to use the ET Pro rules and make sure that you include this in the end of you suricata.yaml file, include: rule-files.yaml. 

    I do this any it works great, you just have to make sure that your rule-files.yaml file does not get overwritten and always keep a backup of the file in case it does.  Since AlienVault uses the ET Pro ruleset in their USM the new rules will be added into the database as they do their updates so everything stays in sync, at most I have a few signatures that hit the generic rule until the database is updated.
