NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
Protects against attacks and exploits of:
Category | Description | Reference |
---|---|---|
3CORESec | Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots. | https://blacklist.3coresec.net/lists/et-open.txt |
ActiveX | Attacks and vulnerabilities regarding Microsoft ActiveX controls. | |
Adware-PUP | Ad-tracking and spyware related activity. | |
Attack Response | Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. | |
These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened. | ||
Botcc (Bot Command and Control) | Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. | https://www.shadowserver.org |
Botcc Portgrouped | Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port. | |
Chat | Chat clients such as Internet Relay Chat (IRC). | |
CIArmy | Generated using Collective Intelligence IP blocking rules. | https://www.cinsscore.com |
Coinmining | Malware which performs coin mining. | |
Compromised | Known compromised hosts; updated daily from several private but highly reliable data sources. | |
WARNING: This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead. | ||
Current Events | Active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters. | |
The rules in this category are not intended to be kept in the ruleset for long. | ||
Deleted | Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded. | |
DNS | Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling. | |
DOS | Denial of Service (DoS) attempts. | |
Drop | To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily. | https://www.spamhaus.org |
Dshield | Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable. | https://www.dshield.org |
Exploit | Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows. | |
Attacks with their own category such as SQL injection have their own category. | ||
Exploit-Kit | Activity related to Exploit Kits. | |
FTP | Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). | |
Also includes basic none malicious FTP activity for logging purposes, such as login, etc. | ||
Games | Gaming traffic. | |
Not necessarily evil, just not appropriate for all environments. | ||
Hunting | Threat hunting in an environment. | |
WARNING: These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment. | ||
ICMP | Internet Control Message Protocol (ICMP). | |
ICMP_info | ICMP protocol specific events, typically associated with normal operations for logging purposes. | |
IMAP | Internet Message Access Protocol (IMAP). | |
Inappropriate | Sites that are pornographic or otherwise not appropriate for a work environment. | |
WARNING: This category can have a significant performance impact and high rate of false positives. | ||
Info | Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats | |
Example: Downloading an Executable over HTTP by IP address rather than domain name. | ||
JA3 | Fingerprints malicious SSL certificates using JA3 hashes. | |
WARNING: These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation. | ||
Malware | Malicious software and Spyware related. | |
Misc | Not covered in other categories. | |
Mobile Malware | Malware associated with mobile and tablet operating systems. | |
Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware. | ||
NETBIOS | Attacks, exploits and vulnerabilities regarding Netbios. | |
Also included are rules detecting basic activity of the protocol for logging purposes. | ||
P2P | Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others. | |
Not necessarily evil, just not appropriate for all environments. | ||
Phishing | Phishing activity. | |
Policy | May indicate violations against policies of an organization. | |
Includes DropBox, Google Apps, Myspace, Ebay, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers. | ||
POP3 | Post Office Protocol 3.0 (POP3). | |
RPC | Remote Procedure Call (RPC). | |
SCADA | Supervisory control and data acquisition (SCADA). | |
SCADA_special | Signatures written for Snort Digital Bond based SCADA preprocessor. | |
SCAN | Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools. | |
Shellcode | Remote shellcode detection. | |
SMTP | Attacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP). | |
Also includes rules detecting basic activity of the protocol for logging purposes. | ||
SNMP | attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP). | |
Also includes rules detecting basic activity of the protocol for logging purposes. | ||
SQL | attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL). | |
Also includes rules detecting basic activity of the protocol for logging purposes. | ||
TELNET | attacks and vulnerabilities regarding the TELNET service. | |
Also includes rules detecting basic activity of the protocol for logging purposes. | ||
TFTP | attacks and vulnerabilities regarding the Trivial File Transport Protocol (TFTP). | |
Also includes rules detecting basic activity of the protocol for logging purposes. | ||
TOR | Identification of traffic to and from TOR exit nodes based on IP address. | |
Trojan | A legacy category not used in new versions of Suricata. Super-seeded by the Malware category. | |
User Agents | Suspicious and anomalous user agents. | |
Known malicious user agents are generally placed in the Malware category. | ||
VOIP | Attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others. | |
Web Client | Web clients such as web browsers as well as client side applications like CURL, WGET and others. | |
Web Server | Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software. | |
Web Specific Apps | Attacks and vulnerabilities in specific web applications. | |
WORM | Worm-like propagation. |