User Tools

Site Tools


ids:emerging_threats:emerging_threat_categories

This is an old revision of the document!


IDS - Emerging Threats - Emerging Threat Categories

Protects against attacks and exploits of:

CategoryDescriptionReference
3CORESecGenerated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.https://blacklist.3coresec.net/lists/et-open.txt
ActiveXMicrosoft ActiveX controls.
Adware-PUPAd-tracking and spyware related activity.
Attack ResponseIdentifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.
Botcc (Bot Command and Control)Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.https://www.shadowserver.org
Botcc PortgroupedSimilar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.
ChatChat clients such as Internet Relay Chat (IRC).
CIArmyGenerated using Collective Intelligence IP blocking rules.https://www.cinsscore.com
CoinminingMalware which performs coin mining.
CompromisedKnown compromised hosts; updated daily from several private but highly reliable data sources.
WARNING: This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead.
Current EventsActive and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.
The rules in this category are not intended to be kept in in the ruleset for long.
DeletedSignatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.
DNSAttacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.
DOSDenial of Service (DoS) attempts.
DropTo block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.https://www.spamhaus.org
DshieldAttackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.https://www.dshield.org
ExploitDirect exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.
Attacks with their own category such as SQL injection have their own category.
Exploit-KitActivity related to Exploit Kits.
FTPAttacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).
GamesGaming traffic and attacks against those games.
Includes many popular online games; while these games and their traffic are not malicious, they are often unwanted and prohibited by policy on corporate networks.
HuntingThreat hunting in an environment.
These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.
ICMPInternet Control Message Protocol (ICMP).
ICMP_infoICMP protocol specific events, typically associated with normal operations for logging purposes.
IMAPInternet Message Access Protocol (IMAP).
Includes rules that detect non-malicious IMAP activity for logging purposes.
InappropriateSites that are pornographic or otherwise not appropriate for a work environment.
WARNING: This category can have a significant performance impact and high rate of false positives.
InfoHelps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats
Example: Downloading an Executable over HTTP by IP address rather than domain name.
JA3Fingerprints malicious SSL certificates using JA3 hashes.
Based on parameters that are in the SSL handshake negotiation by both clients and servers.
WARNING: These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.
MalwareMalicious software.
MiscNot covered in other categories.
Mobile MalwareMalware associated with mobile and tablet operating systems.
Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.
NETBIOSNetBIOS
Includes rules that detect non-malicious NetBIOS activity for logging purposes.
P2PPeer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.
P2P traffic is not inherently malicious but is often of notable for enterprises.
PhishingPhishing activity.
PolicyMay indicate violations against policies of an organization.
POP3Post Office Protocol 3.0 (POP3).
This category also includes rules that detect non-malicious POP3 activity for logging purposes.

References

ids/emerging_threats/emerging_threat_categories.1626786151.txt.gz · Last modified: 2021/07/20 13:02 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki