Man typing on laptop

ET Pro® Ruleset

A timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances.


Proofpoint ET PRO® is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection/prevention systems (IDS/IPS). Updated daily and available in Suricata and Snort formats, ET Pro® covers more than 40 different categories of malware command and control, credential phishing, DDoS, botnets, network anomalies, exploits, vulnerabilities, SCADA exploit kit activity, and much more.

Today, advanced cyber-attack campaigns are perpetrated by a variety of attackers with motives ranging from profit to espionage. Given the dynamic nature of these threats, it has become nearly impossible for enterprises to keep pace with the changing threat landscape. That’s where Proofpoint comes in.

Benefits and Features

Decades of Threat Intelligence Experience

Serious security professionals have very few high-quality options available for network detection rules. We use our massive international malware exchange, an automated virtualization and bare metal sandbox environment, a global sensor network, and over a decade of anti-evasion and threat intelligence experience to develop and maintain our ET PRO® ruleset.

There are five requirements for producing quality network-based detection in the face of a constantly evolving threat landscape:

  1. Early access to the latest malware samples from around the world.
  2. An automated sandbox environment, capable of evaluating millions of new malware samples and URLs per day and capturing the resulting network behavior.
  3. Community input from around the globe
  4. Unwavering commitment to writing and testing high-fidelity detection signatures for known threats to minimize false positives.
  5. Daily updates of rules that have gone through extensive QA

Network-Based Advanced Threat Detection


Security teams are often dissatisfied with their network IDS/IPS and NGFW deployments due to the overwhelming number of false positives and their inability to notify them when an actual breach takes place. This is because standard IDS/IPS signatures are designed to detect exploits against known vulnerabilities in hosts on the network – even if the systems are patched and not actually vulnerable. Yet, these security platforms are ideally positioned on the network to monitor for malware activity, including stealth communication to and from the remote command and control sites.

ET PRO® ruleset features include:

  • Emphasis on fingerprinting actual malware/C2/exploit kits, credential phishing and in-the-wild malicious activity missed by traditional prevention methods.
  • Support for both Suricata and Snort IDS/IPS formats.
  • Over 72,000 rules in over 40 categories.
  • 30 to 50+ new rules are released each day.
  • Extensive signature descriptions, references and documentation.
  • Very low false positive rating through the use of advanced malware sandbox and global sensor network feedback loop.
  • Includes ET Open. ET PRO® allows you to benefit from the collective intelligence provided by one the largest and most active IDS/IPS rule writing communities. Rule submissions are received from all over the world, covering never seen before threats—all tested by the Proofpoint ET labs research team to ensure optimum performance and accurate detection.

Focused Coverage

While the Proofpoint ET PRO® ruleset offers complete coverage for numerous threats, it offers unrivaled network-based detection logic to identify Malware command and control communications, known bad landing pages, bot nets, communication with drive by sites and other advanced threats – using your existing IDS/IPS or NGFW platform.

ET PRO® ruleset bolsters your network security platforms with high-fidelity detection of advanced threats, including:

  • All major malware families covered by command and control channel and protocol.

  • Detection across all network-based threat vectors, from SCADA protocols, Web Servers, to the latest client-side attacks served up by exploit kits. 

  • The most accurate malware call-back, dropper, command-and-control, obfuscation, exploit-kit related, and exfiltration signatures the industry can offer.

  • Comprehensive rule set also includes coverage for in-the-wild CVE vulnerabilities, including MS MAPP and Patch Tuesday updates

Platform Independent

ET PRO® ruleset is available in multiple formats for use in a variety of network security applications. The formats include various releases of SNORT and Suricata IDS/IPS platforms. It is the only rule set that is specifically written for the Suricata platform to take full advantage of next-generation IDS/IPS features. The ET Pro ruleset is optimized to make the best use of the feature set and version of each IDS/IPS engine it supports.

The ET PRO® ruleset:

  • Is the most comprehensive rule set optimized for the Suricata open source IDS/IPS engine.
  • Runs transparently on systems supporting the Snort 2.9.x.
  • Allows you to create custom OEM versions of ET Pro for integration into proprietary network security appliances.

OEM Licensing enquiries

For OEM licensing enquiries, please contact  our OEM sales

Threat Intelligence Portal

Massive international malware exchanges and decades of threat intelligence experience are leveraged to develop and maintain our ET PRO® ruleset.