Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:rules:classification

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

pfsense:suricata:rules:classification [2021/01/20 11:35] – created peterpfsense:suricata:rules:classification [2021/01/20 11:38] (current) peter
Line 1: Line 1:
 ====== PFSense - Suricata - Rules - Classification ====== ====== PFSense - Suricata - Rules - Classification ======
 +
 +<code>
 +# $Id$
 +# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
 +#
 +# The following includes information for prioritizing rules
 +#
 +# Each classification includes a shortname, a description, and a default
 +# priority for that classification.
 +#
 +# This allows alerts to be classified and prioritized.  You can specify
 +# what priority each classification has.  Any rule can override the default
 +# priority for that rule.
 +#
 +# Here are a few example rules:
 +#
 +#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
 +# dsize: > 128; classtype:attempted-admin; priority:10;
 +#
 +#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
 +#       content:"expn root"; nocase; classtype:attempted-recon;)
 +#
 +# The first rule will set its type to "attempted-admin" and override
 +# the default priority for that type to 10.
 +#
 +# The second rule set its type to "attempted-recon" and set its
 +# priority to the default for that type.
 +#
 +#
 +# config classification:shortname,short description,priority
 +#
 +
 +config classification: not-suspicious,Not Suspicious Traffic,3
 +config classification: unknown,Unknown Traffic,3
 +config classification: bad-unknown,Potentially Bad Traffic, 2
 +config classification: attempted-recon,Attempted Information Leak,2
 +config classification: successful-recon-limited,Information Leak,2
 +config classification: successful-recon-largescale,Large Scale Information Leak,2
 +config classification: attempted-dos,Attempted Denial of Service,2
 +config classification: successful-dos,Denial of Service,2
 +config classification: attempted-user,Attempted User Privilege Gain,1
 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
 +config classification: successful-user,Successful User Privilege Gain,1
 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1
 +config classification: successful-admin,Successful Administrator Privilege Gain,1
 +
 +
 +
 +# NEW CLASSIFICATIONS
 +
 +config classification: rpc-portmap-decode,Decode of an RPC Query,2
 +config classification: shellcode-detect,Executable code was detected,1
 +config classification: string-detect,A suspicious string was detected,3
 +config classification: suspicious-filename-detect,A suspicious filename was detected,2
 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2
 +config classification: system-call-detect,A system call was detected,2
 +config classification: tcp-connection,A TCP connection was detected,4
 +config classification: trojan-activity,A Network Trojan was detected, 1
 +config classification: unusual-client-port-connection,A client was using an unusual port,2
 +config classification: network-scan,Detection of a Network Scan,3
 +config classification: denial-of-service,Detection of a Denial of Service Attack,2
 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
 +config classification: protocol-command-decode,Generic Protocol Command Decode,3
 +config classification: web-application-activity,access to a potentially vulnerable web application,2
 +config classification: web-application-attack,Web Application Attack,1
 +config classification: misc-activity,Misc activity,3
 +config classification: misc-attack,Misc Attack,2
 +config classification: icmp-event,Generic ICMP event,3
 +config classification: kickass-porn,SCORE! Get the lotion!,1
 +config classification: policy-violation,Potential Corporate Privacy Violation,1
 +config classification: default-login-attempt,Attempt to login by a default username and password,2
 +
 +
 +# SC CLASSIFICATIONS
 +
 +config classification: adware,Adware, 3
 +config classification: attempted-user,Attempted user privilege gain,1
 +config classification: backdoor,Backdoors, 1
 +config classification: badware,Badware, 2
 +config classification: ssl-cert,Blacklisted SSL certificates, 1
 +config classification: malware-cnc,CnC activity,1
 +config classification: ransomware,CryptoLockers, 1
 +config classification: miner,Cryptominers, 1
 +config classification: denial-of-service,DoS attacks,2
 +config classification: exploit,Exploits, 1
 +config classification: fake-av,Fake antiviruses, 1
 +config classification: attempted-recon,Information leak, 1
 +config classification: trojan-downloader,Malware,1
 +config classification: mobile-malware,Mobile-malware, 1
 +config classification: network-scan,Network scan, 2
 +config classification: worm,Network worms, 1
 +config classification: phishing,Phishing, 1
 +config classification: policy-violation,Violation of the security policy,1
 +config classification: bad-unknown,Potentially bad traffic,2
 +config classification: shellcode,Shellcodes,1
 +config classification: spyware,Spyware, 1
 +config classification: web-application-attack,Web attacks,1
 +</code>
  
 ---- ----
pfsense/suricata/rules/classification.1611142522.txt.gz · Last modified: 2021/01/20 11:35 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki