Differences

This shows you the differences between two versions of the page.

--- ids:rule_categories:snort_rule_set_categories [2021/07/22 13:55] – peter
+++ ids:rule_categories:snort_rule_set_categories [2021/07/24 12:22] (current) – peter
@@ Line 3: / Line 3: @@
 <WRAP info>
 **NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
+  * **Policy**:  Are policy-based rules, so can be not used is not against company policy.
+  * **Depreciated**:  Abandoned and depreciated rules.
 </WRAP>
@@ Line 8: / Line 11: @@
 Protects against attacks and exploits of:
-^Category^Description^
+^Category^Description^Policy^Depreciated^
 |app-detect|Applications that generate network activity.|
-|attack-responses|Usually occur after a machine has been compromised.|
+|attack-responses|Usually occurs after a machine has been compromised.| |Y|
-|backdoor|Trojan activity; the target machine may already be compromised.|
+|backdoor|Backdoor Trojan activity; the target machine may already be compromised.| |Y|
-|bad-traffic|Traffic that should never be seen on any network.|
+|bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y|
 |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.|
+|botnet-cnc|Botnets.| |Y|
 |browser-chrome|Chrome browser vulnerabilities.|
 |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.|
@@ Line 23: / Line 27: @@
 |browser-other|Other browser vulnerabilities not listed above.|
 |browser-plugins|Browser plugin vulnerabilities, such as Active-x.|
+|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y|
 |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.|
-|deleted|Deprecated or superseeded rules.|
+|ddos|Distributed denial of service (DDoS).| |Y|
-|exploit|An older category which will be deprecated soon. This category looks for exploits against software in a generic form.|
+|deleted|Deprecated or super-seeded rules.| |Y|
+|dns|DNS, including detection of zone transfers.| |Y|
+|dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y|
+|experimental|Experimental rules, mostly where new types of rules are included.  May be empty.| |Y|
+|exploit|Known generic exploits.  An older category which will be deprecated soon.| |Y|
 |exploit-kit|Exploit kit activity.|
 |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).|
@@ Line 38: / Line 47: @@
 |file-pdf|PDF file vulnerabilities.|
 |file-other|File vulnerabilities, that do not fit into the other categories.|
+|finger|Finger service that runs by default on many Unix-based operating systems.| |Y|
+|ftp|FTP service.| |Y|
+|icmp|Pings specific to particular attack tools.| |Y|
+|icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y|
+|imap|IMAP email service.| |Y|
 |indicator-compromise|The detection of a positively compromised system; false positives may occur.|
 |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.|
 |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".|
 |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".|
+|info|For troubleshooting.| |Y|
+|local|Local rules you create.|
 |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.|
 |malware-cnc|Identified botnet traffic.|
-|malware-tools|Malicious in nature.|
 |malware-other|Malware related, but do not fit into one of the other **malware** categories.|
+|malware-tools|Malicious in nature.|
+|misc|Miscellanious rules that do not fit easily into another category.| |Y|
+|multimedia|Streaming media.|Y|Y|
+|mysql|Unusual and potentially malicious MySQL traffic.| |Y|
+|netbios|Administrative share access alerts on SMB and NetBIOS access.|
+|nntp|NNTP (Network time protocol servers).| |Y|
+|oracle|Oracle database servers.| |Y|
 |os-linux|Vulnerabilities in Linux based OSes.  Not for browsers or any other software on it, but simply against the OS itself.|
 |os-solaris|Vulnerabilities in Solaris based OSes.  Not for any browsers or any other software on top of the OS.|
 |os-windows|Vulnerabilities in Windows based OSes.  Not for any browsers or any other software on top of the OS.|
 |os-mobile|Vulnerabilites in Mobile based OSes.  Not for any browsers or any other software on the top of the OS.|
-|os-other|Vulnerabilities in an OS that is not listed above.|\
+|os-other|Vulnerabilities in an OS that is not listed above.|
-|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|
+|other-ids|The use of other IDSs.| |Y|
-|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|
+|p2p|The use of P2P (peer to peer software) protocols.|Y|Y|
-|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|
+|phishing-spam|Phishing spam.| |Y|
-|policy-spam|Potential spam on the network.|
+|policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y|
-|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|
+|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y|
+|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|:::|
+|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|Y|
+|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y|
+|policy-spam|Potential spam on the network.|Y|
+|pop2|POP2 email service.| |Y|
+|pop3|POP3 email service.| |Y|
+|porn|Porn.|Y|
 |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.|
 |protocol-finger|The presence of the finger protocol or vulnerabilities on the network.|
@@ Line 62: / Line 91: @@
 |protocol-imap|The presence of the IMAP protocol or vulnerabilities on the network.|
 |protocol-nntp|The presence of the NNTP protocol or vulnerabilities on the network.|
+|protocol-other|Potential vulnerabilties in protocols, that do not fit into one of the other "protocol" rule files.|
 |protocol-pop|The presence of the POP protocol or vulnerabilities on the network.|
 |protocol-rpc|The presence of the RPC protocol or vulnerabilities on the network.|
@@ Line 70: / Line 100: @@
 |protocol-tftp|The presence of the TFTP protocol or vulnerabilities on the network.|
 |protocol-voip|The presence of VOIP services or vulnerabilities on the network.|
-|protocol-other|Potential vulnerabilties in protocols, that do not fit into one of the other "protocol" rule files.|
 |pua-adware|Potentially Unwanted Applications (pau) that deal with adware or spyware.|
+|pua-other|Potentially Unwanted Applications (pau) that do not fit into one of the "pau" categories.|
 |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.|
 |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)|
-|pua-other|Potentially Unwanted Applications (pau) that do not fit into one of the categories shown above.|
+|rpc|RPC (Remote Procedure Call).| |Y|
+|rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y|
+|scada|Scada.| |Y|
+|scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y|
 |server-apache|Apache Web Server.|
 |server-iis|Microsoft IIS Web server.|
+|server-mail|Mail servers. (Exchange, Courier).|
+|:::|These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.|
 |server-mssql|Microsoft SQL Server.|
 |server-mysql|Oracle MySQL server.|
 |server-oracle|Oracle DB Server.|
+|server-other|Vulnerabilities or attacks against servers that are not detailed in other "server" categories.|
 |server-samba|Samba Servers.|
 |server-webapp|Web based applications on servers.|
-|server-mail|Mail servers. (Exchange, Courier).|
+|shellcode|Detects shellcode in the packet payload.| |Y|
-|:::|These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.|
+|:::|**WARNING:**  Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.|
-|server-other|Vulnerabilities or attacks against servers that are not detailed in the above list.|
+|smtp|SMTP email service.| |Y|
+|snmp|SNMP traffic.  SNMP is used to manage devices on a network.| |Y|
+|specific-threats|Specific-threats.| |Y|
+|spyware-put|Spyware.| |Y|
 |sql|SQL injection or other vulnerabilities against SQL like servers.|
-|x11|X11 usage or other vulnerabilities against X11 like servers.|
+|telnet|Telnet exploits and unpassword protected accounts.| |Y|
+|tftp|TFTP.| |Y|
+|virus|Virus.| |Y|
+|voip|VOIP.| |Y|
+|web-activex|ActiveX.| |Y|
+|web-attacks|Web servers and Web form variable vulnerabilities.| |Y|
+|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y|
+|web-client|Bad things coming from users, and attacks against web users.| |Y|
+|web-coldfusion|Coldfusion web application services.| |Y|
+|web-frontpage|Frontpage web authoring services.| |Y|
+|web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y|
+|web-misc|Generic web attacks.| |Y|
+|web-php|Attacks against web servers running PHP applications.| |Y|
+|x11|X11 usage or other vulnerabilities against X11 like servers.| |Y|
@@ Line 94: / Line 146: @@
 https://www.snort.org/rules_explanation
+https://blog.snort.org/2012/03/rule-category-reorganization.html