RuleXploit: A Framework for Generating Suricata Rules from Exploits Using Generative AI

Intrusion Detection Systems (IDS) are essential for effective cyber-defense. Signature-based IDS operate using specific rules which are difficult to generate due to the evolving cybersecurity landscape. To this end, this work proposes a rule generation framework, called RuleXploit, which uses Large Language Models (LLMs) to generate rules from exploits. The proposed framework is composed of two components: the RuleXploit Generator, which produces rules using structured prompts and examples, and the RuleXploit Refinery, which validates and refines these rules for accuracy and effectiveness. The RuleXploit framework is demonstrated via the GPT-4o model, configured with tailored prompt engineering techniques and settings. RuleXploit successfully generated 100% syntactically valid rules and achieved an effectiveness rate of 76.67% in detecting malicious traffic. This work presents the first approach to generate IDS rules from the exploit code of a vulnerability, offering a novel way towards the successful mitigation of cyber attacks.