Man typing on laptop

ET Pro Ruleset

A timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances.


Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS). Updated daily and available in SNORT and Suricata formats, ET Pro covers more than 40 different categories of network behaviors, malware command and control, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.

Today, advanced cyber attack campaigns are perpetrated by a variety of actors with motives ranging from profit to espionage. While the basic tools used to execute these attacks have common elements and are often derived from fewer than 20 known exploit kits, each campaign is unique in its use of bot nets, proxies, attack vectors, and command and control systems. Given the dynamic nature of these campaigns, it has become nearly impossible for enterprises to keep pace with the changing threat landscape. That’s where Proofpoint comes in.

Benefits and Features

Decades of Threat Intelligence Experience

Serious security professionals have very few high-quality options available for network detection rules. ET Pro Ruleset leverages Proofpoint's massive international malware exchange, an automated virtualization and bare metal sandbox environment, a global sensor network, and over a decade of anti-evasion and threat intelligence experience to develop and maintain our ET Pro rule set.


There are five requirements for producing quality network-based detection in the face of a constantly evolving threat landscape:

  1. Early access to the latest malware samples from around the world.

  2. An automated sandbox environment, capable of evaluating millions of new malware samples per day and capturing the resulting network behavior.

  3. Dedicated focus on detecting the interaction between the compromised organization and the attackers’ command and control systems.

  4. Unwavering commitment to writing and testing high-fidelity detection signatures to minimize false positives.

  5. Daily updates.

Network-Based Advanced Threat Detection


Security teams are often dissatisfied with their network IDS/IPS and NGFW deployments due to the overwhelming number of false positives and their inability to notify them when an actual breach takes place. This is because standard IDS/IPS signatures are designed to detect exploits against known vulnerabilities in hosts on the network – even if the systems are patched and not actually vulnerable. Yet, these security platforms are ideally positioned on the network to monitor for malware activity, including stealth communication to and from the remote command and control sites.

ET Pro features include:


  • Emphasis on fingerprinting actual malware / C2 / exploit kits, and in the wild malicious activity missed by traditional prevention methods.
  • Support for both SNORT and Suricata IDS/IPS formats.
  • Over 36,000 rules in over 40 categories.
  • 10 to 50+ new rules are released each day.
  • Extensive signature descriptions, references, and documentation.
  • Very low false positive rating through the use of state-of-the-art malware sandbox and global sensor network feedback loop.
  • Includes ET Open. ET Pro allows you to benefit from the collective intelligence provided by one the largest and most active IDS/IPS rule writing communities.  Rule submissions are received from all over the world covering never seen before threats—all tested by the Proofpoint’s ET Labs research team to ensure optimum performance and accurate detection.

Focused Coverage

While the Proofpoint ET Pro offers complete coverage for numerous threats, it offers unrivaled network-based detection logic to identify Malware command and control communications, known bad landing pages, bot nets, communication with drive by sites and other advanced threats – using your existing IDS/IPS or NGFW platform.

ET Pro bolsters your network security platforms with high-fidelity detection of advanced threats, including:

  • All major malware families covered by command and control channel and protocol.

  • Detection across all network-based threat vectors, from SCADA protocols, Web Servers, to the latest client-side attacks served up by exploit kits. 

  • The most accurate malware call-back, dropper, command-and-control, obfuscation, exploit-kit related, and exfiltration signatures the industry can offer.

  • Comprehensive rule set also includes regularly prescribed CVE updates, including MS MAPP & Patch Tuesday updates.

Platform Independent

ET Pro ruleset is available in multiple formats for use in a variety of network security applications. The formats include various releases of SNORT and Suricata IDS/IPS platforms. It is the only rule set that is specifically written for the Suricata platform to take full advantage of next generation IDS/IPS features. The ET Pro ruleset is optimized to make the best use of the feature set and version of each IDS/IPS engine it supports.


The ET Pro ruleset:

  • Runs transparently on systems supporting the current and earlier versions of SNORT.

  • Is the only ruleset optimized for the next generation Suricata open source IDS/IPS engine.

  • Create custom OEM versions of ET Pro for integration into proprietary network security appliances.

Threat Intelligence Portal

Massive international malware exchanges and decades of threat intelligence experience are leveraged to develop and maintain our ET Pro rule set.