Wiki

User Tools

Site Tools

Trace:
ids:rule_categories:emerging_threat_categories

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ids:rule_categories:emerging_threat_categories [2022/01/17 10:39] peterids:rule_categories:emerging_threat_categories [2022/01/17 11:00] (current) peter
Line 32: Line 32:
 |Exploit-Kit|Activity related to Exploit Kits.| | |Exploit-Kit|Activity related to Exploit Kits.| |
 |FTP|Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).| | |FTP|Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).| |
 +|:::|Also includes basic none malicious FTP activity for logging purposes, such as login, etc.|:::|
 |Games|Gaming traffic.| | |Games|Gaming traffic.| |
 +|:::|Not necessarily evil, just not appropriate for all environments.|:::|
 |Hunting|Threat hunting in an environment.| | |Hunting|Threat hunting in an environment.| |
 |:::|**WARNING:**  These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.| | |:::|**WARNING:**  These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.| |
Line 44: Line 46:
 |JA3|Fingerprints malicious SSL certificates using JA3 hashes.| | |JA3|Fingerprints malicious SSL certificates using JA3 hashes.| |
 |:::|**WARNING:**  These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.| | |:::|**WARNING:**  These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.| |
-|**Malware**|Malicious software.| |+|**Malware**|Malicious software and Spyware related.| |
 |Misc|Not covered in other categories.| | |Misc|Not covered in other categories.| |
 |Mobile Malware|Malware associated with mobile and tablet operating systems.| |Mobile Malware|Malware associated with mobile and tablet operating systems.|
 |:::|Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.| | |:::|Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.| |
-|NETBIOS|NetBIOS| |+|NETBIOS|Attacks, exploits and vulnerabilities regarding Netbios.
 +|:::|Also included are rules detecting basic activity of the protocol for logging purposes.|:::|
 |P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.| |P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.|
 +|:::|Not necessarily evil, just not appropriate for all environments.|:::|
 |Phishing|Phishing activity.| | |Phishing|Phishing activity.| |
 |Policy|May indicate violations against policies of an organization.| | |Policy|May indicate violations against policies of an organization.| |
 +|:::|Includes DropBox, Google Apps, Myspace, Ebay, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers.|:::|
 |POP3|Post Office Protocol 3.0 (POP3).| | |POP3|Post Office Protocol 3.0 (POP3).| |
 |RPC|Remote Procedure Call (RPC).| |RPC|Remote Procedure Call (RPC).|
Line 58: Line 63:
 |SCAN|Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.| | |SCAN|Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.| |
 |Shellcode|Remote shellcode detection.| | |Shellcode|Remote shellcode detection.| |
-|SMTP|Simple Mail Transfer Protocol (SMTP).| | +|SMTP|Attacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP).| 
-|SNMP|Simple Network Management Protocol (SNMP).| | +|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::
-|SQL|Structured Query Language (SQL).| | +|SNMP|attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP).| 
-|TELNET|TELNET.| | +|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::
-|TFTP|Trivial File Transport Protocol (TFTP).| |+|SQL|attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL).| 
 +|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::
 +|TELNET|attacks and vulnerabilities regarding the TELNET service.| 
 +|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::
 +|TFTP|attacks and vulnerabilities regarding the Trivial File Transport Protocol (TFTP).| 
 +|:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::|
 |TOR|Identification of traffic to and from TOR exit nodes based on IP address.| | |TOR|Identification of traffic to and from TOR exit nodes based on IP address.| |
-|Trojan|A legacy category not used new versions of Suricata.  Superseeded by the Malware category.| |+|Trojan|A legacy category not used in new versions of Suricata.  Super-seeded by the Malware category.| |
 |User Agents|Suspicious and anomalous user agents.| | |User Agents|Suspicious and anomalous user agents.| |
 |:::|Known malicious user agents are generally placed in the Malware category.| | |:::|Known malicious user agents are generally placed in the Malware category.| |
-|VOIP|Voice over IP (VOIP) including SIP, H.323 and RTP among others.| |+|VOIP|Attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others.| |
 |Web Client|Web clients such as web browsers as well as client side applications like CURL, WGET and others.| | |Web Client|Web clients such as web browsers as well as client side applications like CURL, WGET and others.| |
 |Web Server|Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.| | |Web Server|Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.| |
ids/rule_categories/emerging_threat_categories.1642415996.txt.gz · Last modified: 2022/01/17 10:39 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki