IDS/IPS Export Feeds
Live threat feeds for
Suricata, Snort, and Zeek.
Flowtriq generates live threat intelligence feeds from its cross-network attacker IP database. Pull Suricata drop rules, Snort drop rules, or Zeek Intel Framework indicators via an authenticated API endpoint. Configure lookback window and minimum confidence score, set a cron schedule, and your IDS stays current with every new attacker detected across the platform.
Feed Formats
Three formats, native syntax
Each feed is generated in the native rule format of its target IDS platform. No parsing, no conversion scripts, no middleware. Pull the URL and load it directly.
Suricata Drop Rules Suricata 6.x / 7.x
Generates drop ip rules for every attacker IP above your confidence threshold. Each rule includes a unique SID, descriptive message with the attacker IP and Flowtriq confidence score, and metadata fields. Compatible with suricata-update and direct rule file inclusion.
msg:"Flowtriq attacker 185.220.101.34 confidence:92";
sid:9000001; rev:1;
metadata:created 2026-06-25;
)
drop ip 45.148.10.72 any -> $HOME_NET any (
msg:"Flowtriq attacker 45.148.10.72 confidence:87";
sid:9000002; rev:1;
metadata:created 2026-06-25;
)
Snort Drop Rules Snort 2.x / 3.x
Same drop rule format, compatible with both Snort 2.x and Snort 3.x. Download the rules file to your local rules directory and include it in your Snort configuration. Each rule uses a unique SID and includes the attacker IP and confidence score in the message field.
Zeek Intel Framework Zeek / Bro
Outputs tab-separated Zeek Intel Framework indicators using the Intel::ADDR type. Each line includes the attacker IP, indicator type, source attribution, and a description with the confidence score. Load it directly with Zeek's Intel::read_files function.
185.220.101.34 Intel::ADDR Flowtriq Attacker confidence:92
45.148.10.72 Intel::ADDR Flowtriq Attacker confidence:87
91.242.217.198 Intel::ADDR Flowtriq Attacker confidence:81
Configuration
Pull-based, configurable, authenticated
Each feed is served from a single authenticated API endpoint. Pass your API token and configure the feed with two parameters. Set up a cron job to pull every 15 minutes and your IDS rules stay current without any manual intervention.
API Token
Authenticate via query parameter or Authorization header. Generate tokens from the dashboard under Settings. Each token is scoped to your workspace.
days - Lookback Window
Number of days to look back for attacker IPs. A shorter window produces fewer rules with more recent attackers. A longer window gives broader coverage of repeat offenders.
confidence - Minimum Score
Minimum confidence score (0-100) for an attacker IP to be included. Higher values produce a tighter, higher-precision feed. Lower values cast a wider net.
format - Output Format
Choose suricata, snort, or zeek. Each returns rules in the native syntax of the target platform, ready to load with no transformation.
Example
Cron job: pull Suricata rules every 15 minutes
A single cron entry keeps your IDS rules synchronized with Flowtriq's live attacker database. The feed endpoint returns fresh rules on every request, generated from cross-network intelligence across all Flowtriq customers.
*/15 * * * * curl -s \
"https://api.flowtriq.com/v1/feeds/ids?format=suricata&days=7&confidence=70&token=YOUR_TOKEN" \
-o /etc/suricata/rules/flowtriq.rules \
&& suricatasc -c reload-rules
# Result: Suricata drops traffic from
# known attackers seen across Flowtriq's
# entire customer network in the last 7 days
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/zeek/feeds/flowtriq.intel"
};
FAQ
Common questions about IDS/IPS export feeds
What feed formats are available?
Flowtriq generates three feed formats: Suricata drop rules (compatible with Suricata 6.x and 7.x), Snort drop rules (compatible with Snort 2.x and 3.x), and Zeek Intel Framework feeds (Intel::ADDR indicators). Each format follows the native syntax of its target platform, so you can pull the feed URL directly into your existing configuration with no transformation required.
How often are the feeds updated?
Feeds are generated live on every request from Flowtriq's current attacker IP database. There is no fixed refresh interval on our side. We recommend pulling feeds on a cron schedule, for example every 15 minutes, to keep your IDS rules current without excessive API calls. As new attackers are detected across the platform, they appear in the next feed pull automatically.
How do I configure Suricata to pull the feed?
Add a rule source in your Suricata configuration that fetches from your authenticated Flowtriq feed URL. You can use suricata-update with a custom source, or a cron job that downloads the rules file and triggers a Suricata rule reload. The feed URL includes your API token as a query parameter, along with optional days and confidence parameters to control scope.
How do I configure Snort to pull the feed?
For Snort 2.x, download the rules file to your local rules directory and include it in your snort.conf. For Snort 3.x, place the downloaded rules in your rules directory and reference it in your Snort Lua configuration. In both cases, a cron job that fetches the feed and restarts or reloads Snort is the simplest approach.
How does the confidence parameter work, and how are false positives handled?
The confidence parameter sets the minimum reputation score an attacker IP must have to be included in the feed. Higher confidence values produce a smaller, higher-precision feed with fewer false positives. Lower values cast a wider net but may include IPs with less certainty. Flowtriq scores are derived from cross-network intelligence, so an IP must be observed attacking multiple independent networks to reach high confidence. Start with the default and adjust based on your environment.
Is there a cost for the IDS feeds?
No. IDS/IPS export feeds are included on all Flowtriq plans at no additional cost. The feeds are generated from the same cross-network attacker intelligence that powers all Flowtriq threat detection features.
Related Features
Threat intelligence across the platform
FAQ