Differences

This shows you the differences between two versions of the page.

--- ids:rule_categories:snort_rule_set_categories [2021/07/24 11:18] – peter
+++ ids:rule_categories:snort_rule_set_categories [2021/07/24 12:22] (current) – peter
@@ Line 3: / Line 3: @@
 <WRAP info>
 **NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
+  * **Policy**:  Are policy-based rules, so can be not used is not against company policy.
+  * **Depreciated**:  Abandoned and depreciated rules.
 </WRAP>
@@ Line 8: / Line 11: @@
 Protects against attacks and exploits of:
-^Category^Description^
+^Category^Description^Policy^Depreciated^
 |app-detect|Applications that generate network activity.|
-|attack-responses|Usually occurs after a machine has been compromised.|
+|attack-responses|Usually occurs after a machine has been compromised.| |Y|
-|backdoor|Trojan activity; the target machine may already be compromised.|
+|backdoor|Backdoor Trojan activity; the target machine may already be compromised.| |Y|
-|bad-traffic|Traffic that should never be seen on any network.|
+|bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y|
 |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.|
-|botnet-cnc|Botnets.|
+|botnet-cnc|Botnets.| |Y|
 |browser-chrome|Chrome browser vulnerabilities.|
 |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.|
@@ Line 24: / Line 27: @@
 |browser-other|Other browser vulnerabilities not listed above.|
 |browser-plugins|Browser plugin vulnerabilities, such as Active-x.|
-|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|
+|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y|
 |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.|
-|ddos|Distributed denial of service (DDoS).|
+|ddos|Distributed denial of service (DDoS).| |Y|
-|deleted|Deprecated or superseeded rules.|
+|deleted|Deprecated or super-seeded rules.| |Y|
-|dos|Denial of service (DoS).|
+|dns|DNS, including detection of zone transfers.| |Y|
-|experimental|Experimental rules.|
+|dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y|
-|exploit|An older category which will be deprecated soon. This category looks for exploits against software in a generic form.|
+|experimental|Experimental rules, mostly where new types of rules are included.  May be empty.| |Y|
+|exploit|Known generic exploits.  An older category which will be deprecated soon.| |Y|
 |exploit-kit|Exploit kit activity.|
 |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).|
@@ Line 43: / Line 47: @@
 |file-pdf|PDF file vulnerabilities.|
 |file-other|File vulnerabilities, that do not fit into the other categories.|
+|finger|Finger service that runs by default on many Unix-based operating systems.| |Y|
+|ftp|FTP service.| |Y|
+|icmp|Pings specific to particular attack tools.| |Y|
+|icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y|
+|imap|IMAP email service.| |Y|
 |indicator-compromise|The detection of a positively compromised system; false positives may occur.|
 |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.|
 |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".|
 |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".|
-|local|Local rules.|
+|info|For troubleshooting.| |Y|
+|local|Local rules you create.|
 |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.|
 |malware-cnc|Identified botnet traffic.|
 |malware-other|Malware related, but do not fit into one of the other **malware** categories.|
 |malware-tools|Malicious in nature.|
-|misc|Web Miscellanious.|
+|misc|Miscellanious rules that do not fit easily into another category.| |Y|
-|multimedia|Streaming media may be a violation of corporate policies.|
+|multimedia|Streaming media.|Y|Y|
-|mysql|Unusual and potentially malicious mysql traffic.|
+|mysql|Unusual and potentially malicious MySQL traffic.| |Y|
-|netbios|Netbios.|
+|netbios|Administrative share access alerts on SMB and NetBIOS access.|
-|nntp|NNTP.|
+|nntp|NNTP (Network time protocol servers).| |Y|
-|oracle|Oracle.|
+|oracle|Oracle database servers.| |Y|
 |os-linux|Vulnerabilities in Linux based OSes.  Not for browsers or any other software on it, but simply against the OS itself.|
 |os-solaris|Vulnerabilities in Solaris based OSes.  Not for any browsers or any other software on top of the OS.|
@@ Line 63: / Line 73: @@
 |os-mobile|Vulnerabilites in Mobile based OSes.  Not for any browsers or any other software on the top of the OS.|
 |os-other|Vulnerabilities in an OS that is not listed above.|
-|other-ids|The use of other IDSs.|
+|other-ids|The use of other IDSs.| |Y|
-|p2p|The use of P2P protocols, which are usually against corporate policy.|
+|p2p|The use of P2P (peer to peer software) protocols.|Y|Y|
-|phishing-spam|Phishing spam.|
+|phishing-spam|Phishing spam.| |Y|
-|policy|Policy rules, which are usually against corporate policy.|
+|policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y|
-|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|
+|policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y|
-|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|
+|:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|:::|
-|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|
+|policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|Y|
-|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|
+|policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y|
-|policy-spam|Potential spam on the network.|
+|policy-spam|Potential spam on the network.|Y|
-|pop2|POP2 rules.|
+|pop2|POP2 email service.| |Y|
-|pop3|POP3 rules.|
+|pop3|POP3 email service.| |Y|
+|porn|Porn.|Y|
 |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.|
 |protocol-finger|The presence of the finger protocol or vulnerabilities on the network.|
@@ Line 93: / Line 104: @@
 |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.|
 |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)|
-|rpc|RPC (Remote Procedure Call).|
+|rpc|RPC (Remote Procedure Call).| |Y|
-|rservices|MS SQL Server R Services.|
+|rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y|
-|scada|Scada.|
+|scada|Scada.| |Y|
-|scan|Network scanners, including port scanning, IP mapping, and various application scanners.|
+|scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y|
 |server-apache|Apache Web Server.|
 |server-iis|Microsoft IIS Web server.|
@@ Line 107: / Line 118: @@
 |server-samba|Samba Servers.|
 |server-webapp|Web based applications on servers.|
-|shellcode|Attempt is made to execute shellcode.|
+|shellcode|Detects shellcode in the packet payload.| |Y|
-|smtp|SMTP.|
+|:::|**WARNING:**  Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.|
-|snmp|SNMP.|
+|smtp|SMTP email service.| |Y|
-|specific-threats| |
+|snmp|SNMP traffic.  SNMP is used to manage devices on a network.| |Y|
-|spyware-put|Spyware.|
+|specific-threats|Specific-threats.| |Y|
+|spyware-put|Spyware.| |Y|
 |sql|SQL injection or other vulnerabilities against SQL like servers.|
-|telnet|Various telnet exploits and unpassword protected accounts.|
+|telnet|Telnet exploits and unpassword protected accounts.| |Y|
-|tftp|DEPRECIATED RULES.  TFTP.|
+|tftp|TFTP.| |Y|
-|virus|Virus.|
+|virus|Virus.| |Y|
-|voip|VOIP.|
+|voip|VOIP.| |Y|
-|web-activex|ActiveX.|
+|web-activex|ActiveX.| |Y|
-|web-attacks|Web form variable vulnerabilities.|
+|web-attacks|Web servers and Web form variable vulnerabilities.| |Y|
-|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.|
+|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y|
-|web-client|Bad things coming from users, and attacks against web users.|
+|web-client|Bad things coming from users, and attacks against web users.| |Y|
-|web-coldfusion|Coldfusion web application services.|
+|web-coldfusion|Coldfusion web application services.| |Y|
-|web-frontpage|Frontpage web authoring services.|
+|web-frontpage|Frontpage web authoring services.| |Y|
-|web-iis|Microsoft Internet Information Server (IIS) web servers.|
+|web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y|
-|web-misc|Generic web attacks.|
+|web-misc|Generic web attacks.| |Y|
-|web-php|Attacks against web servers running PHP applications (primarily runs on Apache, but it is possible to run on IIS).|
+|web-php|Attacks against web servers running PHP applications.| |Y|
-|x11|X11 usage or other vulnerabilities against X11 like servers.|
+|x11|X11 usage or other vulnerabilities against X11 like servers.| |Y|