Wiki

User Tools

Site Tools

Trace: mesa install_a_local_copy_of_mesa_without_overwriting_os_version
ids:rule_categories:snort_rule_set_categories

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ids:rule_categories:snort_rule_set_categories [2021/07/22 14:25] peterids:rule_categories:snort_rule_set_categories [2021/07/24 12:22] (current) peter
Line 3: Line 3:
 <WRAP info> <WRAP info>
 **NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes. **NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
 +
 +  * **Policy**:  Are policy-based rules, so can be not used is not against company policy.
 +  * **Depreciated**:  Abandoned and depreciated rules.
 </WRAP> </WRAP>
  
Line 8: Line 11:
 Protects against attacks and exploits of: Protects against attacks and exploits of:
  
-^Category^Description^+^Category^Description^Policy^Depreciated^
 |app-detect|Applications that generate network activity.| |app-detect|Applications that generate network activity.|
-|attack-responses|Usually occur after a machine has been compromised.| +|attack-responses|Usually occurs after a machine has been compromised.| |Y
-|backdoor|Trojan activity; the target machine may already be compromised.| +|backdoor|Backdoor Trojan activity; the target machine may already be compromised.| |Y
-|bad-traffic|Traffic that should never be seen on any network.|+|bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y|
 |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.| |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.|
-|botnet-cnc|Botnets.|+|botnet-cnc|Botnets.| |Y|
 |browser-chrome|Chrome browser vulnerabilities.| |browser-chrome|Chrome browser vulnerabilities.|
 |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.| |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.|
Line 24: Line 27:
 |browser-other|Other browser vulnerabilities not listed above.| |browser-other|Other browser vulnerabilities not listed above.|
 |browser-plugins|Browser plugin vulnerabilities, such as Active-x.| |browser-plugins|Browser plugin vulnerabilities, such as Active-x.|
-|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|+|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y|
 |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.| |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.|
-|ddos|Distributed denial of service (DDoS).| +|ddos|Distributed denial of service (DDoS).| |Y
-|deleted|Deprecated or superseeded rules.| +|deleted|Deprecated or super-seeded rules.| |Y| 
-|dos|Denial of service (DoS).| +|dns|DNS, including detection of zone transfers.| |Y
-|exploit|An older category which will be deprecated soon. This category looks for exploits against software in a generic form.|+|dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y| 
 +|experimental|Experimental rules, mostly where new types of rules are included.  May be empty.| |Y
 +|exploit|Known generic exploits.  An older category which will be deprecated soon.| |Y|
 |exploit-kit|Exploit kit activity.| |exploit-kit|Exploit kit activity.|
 |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).| |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).|
Line 42: Line 47:
 |file-pdf|PDF file vulnerabilities.| |file-pdf|PDF file vulnerabilities.|
 |file-other|File vulnerabilities, that do not fit into the other categories.| |file-other|File vulnerabilities, that do not fit into the other categories.|
 +|finger|Finger service that runs by default on many Unix-based operating systems.| |Y|
 +|ftp|FTP service.| |Y|
 +|icmp|Pings specific to particular attack tools.| |Y|
 +|icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y|
 +|imap|IMAP email service.| |Y|
 |indicator-compromise|The detection of a positively compromised system; false positives may occur.| |indicator-compromise|The detection of a positively compromised system; false positives may occur.|
 |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.| |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.|
 |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".| |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".|
 |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".| |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".|
 +|info|For troubleshooting.| |Y|
 +|local|Local rules you create.|
 |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.| |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.|
 |malware-cnc|Identified botnet traffic.| |malware-cnc|Identified botnet traffic.|
-|malware-tools|Malicious in nature.| 
 |malware-other|Malware related, but do not fit into one of the other **malware** categories.| |malware-other|Malware related, but do not fit into one of the other **malware** categories.|
 +|malware-tools|Malicious in nature.|
 +|misc|Miscellanious rules that do not fit easily into another category.| |Y|
 +|multimedia|Streaming media.|Y|Y|
 +|mysql|Unusual and potentially malicious MySQL traffic.| |Y|
 +|netbios|Administrative share access alerts on SMB and NetBIOS access.|
 +|nntp|NNTP (Network time protocol servers).| |Y|
 +|oracle|Oracle database servers.| |Y|
 |os-linux|Vulnerabilities in Linux based OSes.  Not for browsers or any other software on it, but simply against the OS itself.| |os-linux|Vulnerabilities in Linux based OSes.  Not for browsers or any other software on it, but simply against the OS itself.|
 |os-solaris|Vulnerabilities in Solaris based OSes.  Not for any browsers or any other software on top of the OS.| |os-solaris|Vulnerabilities in Solaris based OSes.  Not for any browsers or any other software on top of the OS.|
 |os-windows|Vulnerabilities in Windows based OSes.  Not for any browsers or any other software on top of the OS.| |os-windows|Vulnerabilities in Windows based OSes.  Not for any browsers or any other software on top of the OS.|
 |os-mobile|Vulnerabilites in Mobile based OSes.  Not for any browsers or any other software on the top of the OS.| |os-mobile|Vulnerabilites in Mobile based OSes.  Not for any browsers or any other software on the top of the OS.|
-|os-other|Vulnerabilities in an OS that is not listed above.|\ +|os-other|Vulnerabilities in an OS that is not listed above.| 
-|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.| +|other-ids|The use of other IDSs.| |Y| 
-|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.| +|p2p|The use of P2P (peer to peer software) protocols.|Y|Y| 
-|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).| +|phishing-spam|Phishing spam.| |Y| 
-|policy-spam|Potential spam on the network.| +|policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y| 
-|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|+|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y
 +|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|:::| 
 +|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|Y
 +|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y
 +|policy-spam|Potential spam on the network.|Y
 +|pop2|POP2 email service.| |Y| 
 +|pop3|POP3 email service.| |Y| 
 +|porn|Porn.|Y|
 |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.| |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.|
 |protocol-finger|The presence of the finger protocol or vulnerabilities on the network.| |protocol-finger|The presence of the finger protocol or vulnerabilities on the network.|
Line 66: Line 91:
 |protocol-imap|The presence of the IMAP protocol or vulnerabilities on the network.| |protocol-imap|The presence of the IMAP protocol or vulnerabilities on the network.|
 |protocol-nntp|The presence of the NNTP protocol or vulnerabilities on the network.| |protocol-nntp|The presence of the NNTP protocol or vulnerabilities on the network.|
 +|protocol-other|Potential vulnerabilties in protocols, that do not fit into one of the other "protocol" rule files.|
 |protocol-pop|The presence of the POP protocol or vulnerabilities on the network.| |protocol-pop|The presence of the POP protocol or vulnerabilities on the network.|
 |protocol-rpc|The presence of the RPC protocol or vulnerabilities on the network.| |protocol-rpc|The presence of the RPC protocol or vulnerabilities on the network.|
Line 74: Line 100:
 |protocol-tftp|The presence of the TFTP protocol or vulnerabilities on the network.| |protocol-tftp|The presence of the TFTP protocol or vulnerabilities on the network.|
 |protocol-voip|The presence of VOIP services or vulnerabilities on the network.| |protocol-voip|The presence of VOIP services or vulnerabilities on the network.|
-|protocol-other|Potential vulnerabilties in protocols, that do not fit into one of the other "protocol" rule files.| 
 |pua-adware|Potentially Unwanted Applications (pau) that deal with adware or spyware.| |pua-adware|Potentially Unwanted Applications (pau) that deal with adware or spyware.|
 +|pua-other|Potentially Unwanted Applications (pau) that do not fit into one of the "pau" categories.|
 |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.| |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.|
 |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)| |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)|
-|pua-other|Potentially Unwanted Applications (pauthat do not fit into one of the categories shown above.|+|rpc|RPC (Remote Procedure Call).| |Y| 
 +|rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y| 
 +|scada|Scada.| |Y| 
 +|scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y|
 |server-apache|Apache Web Server.| |server-apache|Apache Web Server.|
 |server-iis|Microsoft IIS Web server.| |server-iis|Microsoft IIS Web server.|
 +|server-mail|Mail servers. (Exchange, Courier).|
 +|:::|These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.|
 |server-mssql|Microsoft SQL Server.| |server-mssql|Microsoft SQL Server.|
 |server-mysql|Oracle MySQL server.| |server-mysql|Oracle MySQL server.|
 |server-oracle|Oracle DB Server.| |server-oracle|Oracle DB Server.|
 +|server-other|Vulnerabilities or attacks against servers that are not detailed in other "server" categories.|
 |server-samba|Samba Servers.| |server-samba|Samba Servers.|
 |server-webapp|Web based applications on servers.| |server-webapp|Web based applications on servers.|
-|server-mail|Mail servers. (Exchange, Courier).| +|shellcode|Detects shellcode in the packet payload.| |Y
-|:::|These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.| +|:::|**WARNING:**  Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.| 
-|server-other|Vulnerabilities or attacks against servers that are not detailed in the above list.|+|smtp|SMTP email service.| |Y| 
 +|snmp|SNMP traffic.  SNMP is used to manage devices on a network.| |Y
 +|specific-threats|Specific-threats.| |Y| 
 +|spyware-put|Spyware.| |Y|
 |sql|SQL injection or other vulnerabilities against SQL like servers.| |sql|SQL injection or other vulnerabilities against SQL like servers.|
-|x11|X11 usage or other vulnerabilities against X11 like servers.|+|telnet|Telnet exploits and unpassword protected accounts.| |Y| 
 +|tftp|TFTP.| |Y| 
 +|virus|Virus.| |Y| 
 +|voip|VOIP.| |Y| 
 +|web-activex|ActiveX.| |Y| 
 +|web-attacks|Web servers and Web form variable vulnerabilities.| |Y| 
 +|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y| 
 +|web-client|Bad things coming from users, and attacks against web users.| |Y| 
 +|web-coldfusion|Coldfusion web application services.| |Y| 
 +|web-frontpage|Frontpage web authoring services.| |Y| 
 +|web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y| 
 +|web-misc|Generic web attacks.| |Y| 
 +|web-php|Attacks against web servers running PHP applications.| |Y| 
 +|x11|X11 usage or other vulnerabilities against X11 like servers.| |Y|
  
  
Line 98: Line 146:
  
 https://www.snort.org/rules_explanation https://www.snort.org/rules_explanation
 +
 +https://blog.snort.org/2012/03/rule-category-reorganization.html
ids/rule_categories/snort_rule_set_categories.1626963947.txt.gz · Last modified: 2021/07/22 14:25 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki