Differences

This shows you the differences between two versions of the page.

--- ids:rule_categories:emerging_threat_categories [2021/07/20 13:45] – created peter
+++ ids:rule_categories:emerging_threat_categories [2022/01/17 11:00] (current) – peter
@@ Line 1: / Line 1: @@
 ====== IDS - Rule Categories - Emerging Threat Categories ======
+<WRAP info>
+**NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
+</WRAP>
+Protects against attacks and exploits of:
+^Category^Description^Reference^
+|3CORESec|Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.|https://blacklist.3coresec.net/lists/et-open.txt|
+|ActiveX|Attacks and vulnerabilities regarding Microsoft ActiveX controls.| |
+|Adware-PUP|Ad-tracking and spyware related activity.| |
+|Attack Response|Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.| |
+|:::|These are designed to catch the results of a successful attack. Things like "id=root", or error messages that indicate a compromise may have happened.|:::|
+|Botcc (Bot Command and Control)|Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.|https://www.shadowserver.org|
+|Botcc Portgrouped|Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.| |
+|Chat|Chat clients such as Internet Relay Chat (IRC).| |
+|CIArmy|Generated using Collective Intelligence IP blocking rules.|https://www.cinsscore.com|
+|Coinmining|Malware which performs coin mining.| |
+|Compromised|Known compromised hosts; updated daily from several private but highly reliable data sources.| |
+|:::|**WARNING:**  This category can add significant processing load.  In a high-capacity situation it is recommended to use the Botcc rules instead.| |
+|Current Events|Active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.| |
+|:::|The rules in this category are not intended to be kept in the ruleset for long.| |
+|Deleted|Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.| |
+|DNS|Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.| |
+|DOS|Denial of Service (DoS) attempts.| |
+|Drop|To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.|https://www.spamhaus.org|
+|Dshield|Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.|https://www.dshield.org|
+|Exploit|Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.| |
+|:::|Attacks with their own category such as SQL injection have their own category.| |
+|Exploit-Kit|Activity related to Exploit Kits.| |
+|FTP|Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).| |
+|:::|Also includes basic none malicious FTP activity for logging purposes, such as login, etc.|:::|
+|Games|Gaming traffic.| |
+|:::|Not necessarily evil, just not appropriate for all environments.|:::|
+|Hunting|Threat hunting in an environment.| |
+|:::|**WARNING:**  These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.| |
+|ICMP|Internet Control Message Protocol (ICMP).| |
+|ICMP_info|ICMP protocol specific events, typically associated with normal operations for logging purposes.| |
+|IMAP|Internet Message Access Protocol (IMAP).| |
+|Inappropriate|Sites that are pornographic or otherwise not appropriate for a work environment.| |
+|:::|**WARNING:**  This category can have a significant performance impact and high rate of false positives.| |
+|Info|Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats| |
+|:::|Example: Downloading an Executable over HTTP by IP address rather than domain name.| |
+|JA3|Fingerprints malicious SSL certificates using JA3 hashes.| |
+|:::|**WARNING:**  These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.| |
+|**Malware**|Malicious software and Spyware related.| |
+|Misc|Not covered in other categories.| |
+|Mobile Malware|Malware associated with mobile and tablet operating systems.|
+|:::|Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.| |
+|NETBIOS|Attacks, exploits and vulnerabilities regarding Netbios.| |
+|:::|Also included are rules detecting basic activity of the protocol for logging purposes.|:::|
+|P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.|
+|:::|Not necessarily evil, just not appropriate for all environments.|:::|
+|Phishing|Phishing activity.| |
+|Policy|May indicate violations against policies of an organization.| |
+|:::|Includes DropBox, Google Apps, Myspace, Ebay, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers.|:::|
+|POP3|Post Office Protocol 3.0 (POP3).| |
+|RPC|Remote Procedure Call (RPC).|
+|SCADA|Supervisory control and data acquisition (SCADA).| |
+|SCADA_special|Signatures written for Snort Digital Bond based SCADA preprocessor.| |
+|SCAN|Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.| |
+|Shellcode|Remote shellcode detection.| |
+|SMTP|Attacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP).| |
+|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
+|SNMP|attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP).| |
+|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
+|SQL|attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL).| |
+|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
+|TELNET|attacks and vulnerabilities regarding the TELNET service.| |
+|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
+|TFTP|attacks and vulnerabilities regarding the Trivial File Transport Protocol (TFTP).| |
+|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
+|TOR|Identification of traffic to and from TOR exit nodes based on IP address.| |
+|Trojan|A legacy category not used in new versions of Suricata.  Super-seeded by the Malware category.| |
+|User Agents|Suspicious and anomalous user agents.| |
+|:::|Known malicious user agents are generally placed in the Malware category.| |
+|VOIP|Attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others.| |
+|Web Client|Web clients such as web browsers as well as client side applications like CURL, WGET and others.| |
+|Web Server|Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.| |
+|Web Specific Apps|Attacks and vulnerabilities in specific web applications.| |
+|WORM|Worm-like propagation.| |
+----
+===== References =====
+https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf