Add Agent Threat Rules (ATR) Suricata rules for AI agent network indicators

Description

This change adds suricata/rules-default/IT/agent-threat-rules/agent-threat-rules.rules with 13 Suricata signatures covering AI agent network threat indicators derived from the open MIT-licensed Agent Threat Rules (ATR) corpus. The new file sits under the existing rules-default/IT/ tree and is picked up automatically by the IT/**/*.rules recursive glob in suricata_config_populate.py (GetRuleFiles, lines 643-665) without any wiring changes.

Coverage:

• sid 1002001-1002003 ATR-2026-00405 markdown image URL exfiltration via known garak exfil domains (wuzzi.net, derczynski.com, llmsec.net). Anchored on the literal exfil domain plus a leading "![" so the prefilter rejects benign traffic before pcre runs.
• sid 1002004 ATR-2026-00261 markdown image exfiltration with placeholder markers [INFO]/[NUM]/[DATA]/[SECRET]/[PAYLOAD]/[CONTEXT] inside the image URL — Embracethered/garak xss probe family.
• sid 1002005 ATR-2026-00161 MCP tool description hidden directive wrapped in an XML-style tag containing an imperative verb (read/send/exec/fetch/invoke/include/must/pass/forward/upload) — the Invariant Labs April 2025 tool-poisoning PoC pattern that exfiltrated SSH private keys and mcp.json from Claude Desktop and Cursor.
• sid 1002006 ATR-2026-00161 cross-tool shadowing vocabulary ("also present", "previously declared", "already installed") referencing another co-installed MCP tool.
• sid 1002007 ATR-2026-00010 MCP tool response containing curl/wget pipe-to-shell download-and-execute.
• sid 1002008 ATR-2026-00010 bash -i reverse shell to /dev/tcp/ or netcat -e/-c primitive in MCP tool response.
• sid 1002009-1002012 ATR-2026-00451 LiteLLM proxy admin endpoint SQL injection — tautology with comment terminator, UNION SELECT exfiltration probe, Postgres pg_sleep time-based blind, and stacked DROP/TRUNCATE/DELETE TABLE — CVE-2026-42208 (CVSS 9.3), CISA KEV listed 2026-05-08 with federal remediation due 2026-05-11.
• sid 1002013 ATR-2026-00002 indirect prompt injection via HTML comment instruction-override embedded in tool/web content.

SID range 1002001-1002013, chosen to avoid collision with existing Malcolm rule files: nsacyber ELITEWOLF uses 1000001-1000800, malcolm + d-link OT uses 1001001-1001025. Verified parse against Suricata 8.0.4 -T mode in combination with every existing rules-default signature: clean load, zero SID collisions.

False-positive discipline:

• Every rule anchors with at least one literal content keyword before pcre, so Suricata's prefilter rejects benign traffic without scanning every byte.
• Markdown image rules require both the "![" syntax and either a specific known-exfil domain or a bracketed placeholder marker — generic CDN images do not fire.
• LiteLLM SQLi rules are gated on the LiteLLM-specific admin path prefixes (/team /key /user /spend /budget /customer /model /organization) before the SQLi shape check, so generic SQLi false positives elsewhere on the network do not light up.
• IMPORTANT-tag rule requires the verb anchor (read/send/exec/fetch/invoke/include/must/pass/forward/upload) inside the tag, so README emphasis like "IMPORTANT: this needs Python 3.10" does not match.
• Bash reverse shell rule anchors on the literal "/dev/tcp/" string before pcre.

Motivation and context

Malcolm's Suricata pipeline is the natural deployment surface for content-layer detection on AI agent network traffic. MCP tool exchanges, agent-LLM provider traffic, and proxy admin-plane requests are all plaintext HTTP today (MCP is JSON-RPC over HTTP, LiteLLM is HTTP). ATR signals embedded in this traffic — markdown exfiltration markdown, IMPORTANT-tag tool poisoning, LiteLLM CISA KEV exploitation, indirect prompt injection — fit cleanly into Malcolm's existing OpenSearch dashboards and analyst triage flow.

About ATR: MIT-licensed detection-rule corpus, 419 rules at v2.2.1, https://github.com/Agent-Threat-Rule/agent-threat-rules. External production use today: Microsoft Agent Governance Toolkit (microsoft/agent-governance-toolkit#908 merged), Cisco AI Defense (cisco-ai-defense/skill-scanner#79 merged, 314-rule pack), MISP / CIRCL Luxembourg (misp-taxonomies#323 merged by adulau, MISP project lead), and OWASP Agent-Security-Regression-Harness (#74 merged).

This contribution is purely additive: it places a new .rules file under rules-default/IT/. It does not modify any existing Malcolm signature, config, or build artifact. No CISA endorsement of ATR is claimed or implied — these rules are an additive open-source contribution shaped to fit Malcolm's existing convention.

Testing

Validated under Suricata 8.0.4 RELEASE via:

docker run --rm -v $PWD:/work jasonish/suricata:latest -T -S /work/agent-threat-rules.rules

Result: 13 of 13 rules loaded; "Configuration provided was successfully loaded".

Combined-load test (new file + all 6 existing rules-default signature files concatenated): 96 total rules, clean load, zero duplicate-sid errors.

I did not run a full Malcolm Suricata container build because the docker stack is large for a single-file review; recommended verification is to drop the file into a running Malcolm instance and confirm GetRuleFiles() picks it up via the IT/**/*.rules glob, then run suricata -T against the assembled rule set.

Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal — adds one .rules file under rules-default/IT/, no modifications elsewhere.
• All future TODOs are captured in issues, which are referenced in code comments. (None.)
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR. (New default rules are self-describing via msg and reference fields; happy to add a docs entry if maintainers prefer.)
• Tests have been added and/or modified to cover the changes in this PR. (Suricata signature coverage is not exercised by an automated test suite in this submission; Suricata -T parse verified clean under 8.0.4.)
• All new and existing tests pass.
• Bump major, minor, patch, pre-release, and/or build versions as appropriate via the bump_version script if this repository is versioned and the changes in this PR warrant a version bump. (Additive rule file; defer to maintainer judgment.)

ATR repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Maintainer: Adam Lin, [email protected]