User Tools

Site Tools


ids:rule_categories:emerging_threat_categories

IDS - Rule Categories - Emerging Threat Categories

NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.

Protects against attacks and exploits of:

CategoryDescriptionReference
3CORESecGenerated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.https://blacklist.3coresec.net/lists/et-open.txt
ActiveXAttacks and vulnerabilities regarding Microsoft ActiveX controls.
Adware-PUPAd-tracking and spyware related activity.
Attack ResponseIdentifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.
These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened.
Botcc (Bot Command and Control)Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.https://www.shadowserver.org
Botcc PortgroupedSimilar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.
ChatChat clients such as Internet Relay Chat (IRC).
CIArmyGenerated using Collective Intelligence IP blocking rules.https://www.cinsscore.com
CoinminingMalware which performs coin mining.
CompromisedKnown compromised hosts; updated daily from several private but highly reliable data sources.
WARNING: This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead.
Current EventsActive and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.
The rules in this category are not intended to be kept in the ruleset for long.
DeletedSignatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.
DNSAttacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.
DOSDenial of Service (DoS) attempts.
DropTo block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.https://www.spamhaus.org
DshieldAttackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.https://www.dshield.org
ExploitDirect exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.
Attacks with their own category such as SQL injection have their own category.
Exploit-KitActivity related to Exploit Kits.
FTPAttacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).
Also includes basic none malicious FTP activity for logging purposes, such as login, etc.
GamesGaming traffic.
Not necessarily evil, just not appropriate for all environments.
HuntingThreat hunting in an environment.
WARNING: These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.
ICMPInternet Control Message Protocol (ICMP).
ICMP_infoICMP protocol specific events, typically associated with normal operations for logging purposes.
IMAPInternet Message Access Protocol (IMAP).
InappropriateSites that are pornographic or otherwise not appropriate for a work environment.
WARNING: This category can have a significant performance impact and high rate of false positives.
InfoHelps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats
Example: Downloading an Executable over HTTP by IP address rather than domain name.
JA3Fingerprints malicious SSL certificates using JA3 hashes.
WARNING: These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.
MalwareMalicious software and Spyware related.
MiscNot covered in other categories.
Mobile MalwareMalware associated with mobile and tablet operating systems.
Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.
NETBIOSAttacks, exploits and vulnerabilities regarding Netbios.
Also included are rules detecting basic activity of the protocol for logging purposes.
P2PPeer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.
Not necessarily evil, just not appropriate for all environments.
PhishingPhishing activity.
PolicyMay indicate violations against policies of an organization.
Includes DropBox, Google Apps, Myspace, Ebay, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers.
POP3Post Office Protocol 3.0 (POP3).
RPCRemote Procedure Call (RPC).
SCADASupervisory control and data acquisition (SCADA).
SCADA_specialSignatures written for Snort Digital Bond based SCADA preprocessor.
SCANReconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.
ShellcodeRemote shellcode detection.
SMTPAttacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP).
Also includes rules detecting basic activity of the protocol for logging purposes.
SNMPattacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP).
Also includes rules detecting basic activity of the protocol for logging purposes.
SQLattacks, exploits, and vulnerabilities regarding Structured Query Language (SQL).
Also includes rules detecting basic activity of the protocol for logging purposes.
TELNETattacks and vulnerabilities regarding the TELNET service.
Also includes rules detecting basic activity of the protocol for logging purposes.
TFTPattacks and vulnerabilities regarding the Trivial File Transport Protocol (TFTP).
Also includes rules detecting basic activity of the protocol for logging purposes.
TORIdentification of traffic to and from TOR exit nodes based on IP address.
TrojanA legacy category not used in new versions of Suricata. Super-seeded by the Malware category.
User AgentsSuspicious and anomalous user agents.
Known malicious user agents are generally placed in the Malware category.
VOIPAttacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others.
Web ClientWeb clients such as web browsers as well as client side applications like CURL, WGET and others.
Web ServerWeb server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.
Web Specific AppsAttacks and vulnerabilities in specific web applications.
WORMWorm-like propagation.

References

ids/rule_categories/emerging_threat_categories.txt · Last modified: 2022/01/17 11:00 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki