Question 1

How to integrate TGI HUNT rules with an existing Suricata setup?

Accepted Answer

Ensure you have Suricata version 7.0.3 or above, download the rule files from the repository, and add them to your Suricata configuration directory. Then, enable the rules in your suricata.yaml file for anomaly detection and threat hunting activities.

Question 2

Are Suricata Hunting Rules better than Emerging Threats rules for anomaly detection?

Accepted Answer

TGI HUNT is specifically optimized for threat hunting and anomaly detection, while Emerging Threats rules are more general-purpose and performance-focused. For proactive investigation, TGI HUNT offers deeper insights, but it may sacrifice performance compared to broader rule sets.

Question 3

What kind of network anomalies do these rules detect?

Accepted Answer

These rules identify suspicious patterns like unusual traffic spikes, protocol deviations, and behaviors linked to malware or advanced persistent threats, as detailed in the anomaly detection features. They are designed to catch indicators that standard signature-based rules might miss.

Question 4

Can I use TGI HUNT in a high-speed production network?

Accepted Answer

While possible, it's not recommended due to performance limitations. The project explicitly warns about poor performance on high-throughput networks, so it's better suited for controlled monitoring or investigation environments rather than real-time, high-speed deployments.

Question 5

How often are these hunting rules updated?

Accepted Answer

The project welcomes feedback via GitHub issues, suggesting ongoing development, but update frequency isn't specified. Check the repository for recent commits or releases to gauge activity and rule freshness.

Question 6

Do these rules have a high false positive rate?

Accepted Answer

Since they focus on anomaly detection, they may generate more false positives compared to precise signature-based rules. Users should expect to tune and validate rules in their specific network context to balance detection and noise.

Hunting rules

What is Hunting rules?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions