ids:emerging_threats:emerging_threat_categories
This is an old revision of the document!
IDS - Emerging Threats - Emerging Threat Categories
Protects against attacks and exploits of:
| Category | Description | Includes | Reference |
|---|---|---|---|
| Non-Malicious | |||
| Logging | |||
| 3CORESec | Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots. | https://blacklist.3coresec.net/lists/et-open.txt | |
| ActiveX | Microsoft ActiveX controls. | ||
| Adware-PUP | Ad-tracking and spyware related activity. | ||
| Attack Response | Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. | ||
| Botcc (Bot Command and Control) | Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. | https://www.shadowserver.org | |
| Botcc Portgrouped | Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port. | ||
| Chat | Chat clients such as Internet Relay Chat (IRC). | ||
| CIArmy | Generated using Collective Intelligence IP blocking rules. | https://www.cinsscore.com | |
| Coinmining | Malware which performs coin mining. | ||
| Compromised | Known compromised hosts; updated daily from several private but highly reliable data sources. | ||
| WARNING: This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead. | |||
| Current Events | In response to active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters. | ||
| The rules in this category are not intended to be kept in in the ruleset for long. | |||
| Deleted | Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded. | ||
| DNS | Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling. | ||
| DOS | Denial of Service (DoS) attempts. | ||
| Drop | To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily. | https://www.spamhaus.org | |
| Dshield | Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable. | https://www.dshield.org | |
| Exploit | Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows. | ||
| Attacks with their own category such as SQL injection have their own category. | |||
| Exploit-Kit | Activity related to Exploit Kits. | ||
| FTP | Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). | ||
| Games | Gaming traffic and attacks against those games. | ||
| Includes many popular online games; while these games and their traffic are not malicious, they are often unwanted and prohibited by policy on corporate networks. | |||
| Hunting | Threat hunting in an environment. | ||
| These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment. | |||
| ICMP | Internet Control Message Protocol (ICMP). | ||
| ICMP_info | ICMP protocol specific events, typically associated with normal operations for logging purposes. | ||
| IMAP | Internet Message Access Protocol (IMAP). | ||
| Includes rules that detect non-malicious IMAP activity for logging purposes. | |||
| Inappropriate | Sites that are pornographic or otherwise not appropriate for a work environment. | ||
| WARNING: This category can have a significant performance impact and high rate of false positives. | |||
| Info | Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats | ||
| Example: Downloading an Executable over HTTP by IP address rather than domain name. | |||
| JA3 | Fingerprints malicious SSL certificates using JA3 hashes. | ||
| Based on parameters that are in the SSL handshake negotiation by both clients and servers. | |||
| WARNING: These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation. | |||
| Malware | Malicious software. | ||
| Misc | Not covered in other categories. | ||
| Mobile Malware | Malware associated with mobile and tablet operating systems. | ||
| Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware. | |||
| NETBIOS | NetBIOS | ||
| Includes rules that detect non-malicious NetBIOS activity for logging purposes. | |||
| P2P | Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others. | ||
| P2P traffic is not inherently malicious but is often of notable for enterprises. | |||
| Phishing | Phishing activity. | ||
| Policy | May indicate violations against policies of an organization. | ||
| POP3 | Post Office Protocol 3.0 (POP3). | ||
| This category also includes rules that detect non-malicious POP3 activity for logging purposes. |
References
ids/emerging_threats/emerging_threat_categories.1626786038.txt.gz · Last modified: 2021/07/20 13:00 by peter