ids:emerging_threats:emerging_threat_categories
This is an old revision of the document!
IDS - Emerging Threats - Emerging Threat Categories
Protects against attacks and exploits of:
| Category | Description | Reference |
|---|---|---|
| 3CORESec | Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots. | https://blacklist.3coresec.net/lists/et-open.txt |
| ActiveX | Microsoft ActiveX controls. | |
| Adware-PUP | Ad-tracking and spyware related activity. | |
| Attack Response | Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. | |
| Botcc (Bot Command and Control) | Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. | https://www.shadowserver.org |
| Botcc Portgrouped | Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port. | |
| Chat | Chat clients such as Internet Relay Chat (IRC). | |
| CIArmy | Generated using Collective Intelligence IP blocking rules. | https://www.cinsscore.com |
| Coinmining | Malware which performs coin mining. | |
| Compromised | Known compromised hosts; updated daily from several private but highly reliable data sources. | |
| WARNING: This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead. | ||
| Current Events | In response to active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters. | |
| The rules in this category are not intended to be kept in in the ruleset for long. | ||
| Deleted | Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded. | |
| DNS | Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling. | |
| DOS | Denial of Service (DoS) attempts. | |
| Drop | To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily. | https://www.spamhaus.org |
| Dshield | Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable. | https://www.dshield.org |
| Exploit | Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows. | |
| Attacks with their own category such as SQL injection have their own category. | ||
| Exploit-Kit | Activity related to Exploit Kits | |
| FTP | Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). | |
| Games | Gaming traffic and attacks against those games. | |
| These rules cover games such as World of Warcraft, Starcraft, and other popular online games. While these games and their traffic are not malicious, they are often unwanted and prohibited by policy on corporate networks. | ||
References
ids/emerging_threats/emerging_threat_categories.1626784730.txt.gz · Last modified: 2021/07/20 12:38 by peter