Exporting Rules & IOCs¶
IDSTower features an export functionality that can export IDSTower-managed IDS Rules and Indicators of Compromise (IOCs) in various formats to other tools/systems, including independently managed Suricata instances.
There is various use-cases for exporting rules and IOCs, some of them are:
Exporting IDS Rules to a standalone Suricata instance.
Exporting IDS Rules to a different IDSTower instance (eg: vendor to customer).
Exporting IDS Rules to various customers (eg: MSSP).
Exporting IOCs to a SIEM system.
Exporting IOCs to a Threat Intelligence Platform.
This export features allows you to export IDS Rules and IOCs in various formats, including:
Standard Suricata/Snort IDS Rules format (Text).
Suricata/Snort Rules in STIX 2.1 format (Json).
IOCs in text format (one per line).
IOCs in STIX 2.1 format (Json).
IOCs in Suricata Dataset format, this is used for efficient IOCs alerting in Suricata (Text).
IOCs in Suricata Datarep format, this is the old approach for IP Reputation alerting (Text).
IOCs as Suricata Rules, This allows you to convert IOCs to Suricata Rules and normally used for compatibility reasons (Text).
The export settings contains various options that allows you to customize the export process, some of the options are:
Transformation Settings: This allows you to customize the transformation settings of the exported IDS Rules, for example you can enable/disable the transformation of using heuristics to set the Target Keyword value.
Filtration Settings: This allows you to filter the exported IDS Rules/IOCs based on various criteria, for example you can filter the rules based on the Rule Category or IOCs based on their score.
Once the export is added, the exported data then can be downloaded directly from IDSTower via a custom authenticated http(s) link.
In the next guides we will showcase the various options and features available in IDSTower export feature.