Suricata is an excellent open source intrusion detection system that records the high quality Suricata IDS rules extracted by security operations staff. Welcome to submit 

webshell detect	#Rule directory name - clearly described according to the corresponding detection rules - webshell.pcap	#The pcap package corresponding to the rule is saved as much as possible in the form of flow. - websehll.rules	#The rule file extracted by yourself, try to test the submission. - README	#Can describe some rules related things, easy for others to understand, support Markdown 

The directory is named after a single CVE, hacking tool, threat type. If there is a corresponding rule directory, it is recommended to store it in the existing rule directory. 

After the pcap corresponding to the rule is filtered by Wireshark, use the menu file -- save a specific group -- to select the pcap format to upload. 

The rules file is named randomly, but the suffix must be rules, such as: webshell_caidao.rules 

sid： 0~1000000 Sourcefire VRT 2000001~2999999 EMerging Threats(ET) 3000000~3999999 public Network scanning 3000000～3000999 Violent cracking 3001000～3001999 Exploit 3002000～3002999 Back door 3003000～3003999 WebShell 3004000～3004999 Virus Trojan 3005000～3005999 Spyware 3006000～3006999 safety certificate 3007000～3007999 Code execution 3008000～3008999 File restore 3009000～3009999 file transfer 3010000～3010999 Suspicious DNS 3011000～3011999 HTTP 3012000～3012999 Malicious behavior 3013000～3013999 Violation operation 3014000～3014999 Sensitive information leakage 3015000～3015999 Hacking tool 3016000～3016999 Ctypto miner 3017000～3017999 Rev is incremented for each version of the rule version, metadata added creation date and creator Reference is a reference source/reference material, such as a CVE number, or a fix, an attack description, and so on. alert http any any -> any any (msg:"webshell_caidao_php"; flow:established; content:"POST"; http_method; content:".php"; http_uri; content:"base64_decode"; http_client_body; sid:3004001; rev:1; metadata:created_at 2018_11_14, by al0ne;) 

suricata-ids.rules	#A collection of all rules, directly downloading rule file replacements when updating. disable.conf	#Suricata disable rules are recorded during analysis (invalid, false positives, etc.) sid.txt	#The sid of all rules is recorded to avoid duplication, and the sid.txt file must be updated each time the rule is added.