Differences

This shows you the differences between two versions of the page.

--- ids:rule_categories:snort_rule_set_categories [2021/07/24 11:58] – [IDS - Rule Categories - Snort Rule Set Categories] peter
+++ ids:rule_categories:snort_rule_set_categories [2021/07/24 12:22] (current) – peter
@@ Line 3: / Line 3: @@
 <WRAP info>
 **NOTE:**  Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
+  * **Policy**:  Are policy-based rules, so can be not used is not against company policy.
+  * **Depreciated**:  Abandoned and depreciated rules.
 </WRAP>
@@ Line 8: / Line 11: @@
 Protects against attacks and exploits of:
-^Category^Description^Policy^
+^Category^Description^Policy^Depreciated^
 |app-detect|Applications that generate network activity.|
-|attack-responses|Usually occurs after a machine has been compromised.|
+|attack-responses|Usually occurs after a machine has been compromised.| |Y|
-|backdoor|Backdoor Trojan activity; the target machine may already be compromised.|
+|backdoor|Backdoor Trojan activity; the target machine may already be compromised.| |Y|
-|bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.|
+|bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y|
 |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.|
-|botnet-cnc|Botnets.|
+|botnet-cnc|Botnets.| |Y|
 |browser-chrome|Chrome browser vulnerabilities.|
 |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.|
@@ Line 24: / Line 27: @@
 |browser-other|Other browser vulnerabilities not listed above.|
 |browser-plugins|Browser plugin vulnerabilities, such as Active-x.|
-|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|
+|chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y|
 |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.|
-|ddos|Distributed denial of service (DDoS).|
+|ddos|Distributed denial of service (DDoS).| |Y|
-|deleted|Deprecated or super-seeded rules.|
+|deleted|Deprecated or super-seeded rules.| |Y|
-|dns|DNS, including detection of zone transfers.|
+|dns|DNS, including detection of zone transfers.| |Y|
-|dos|Denial of service (DoS), including IGMP and teardrop attacks.|
+|dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y|
-|experimental|Experimental rules, mostly where new types of rules are included.  May be empty.|
+|experimental|Experimental rules, mostly where new types of rules are included.  May be empty.| |Y|
-|exploit|Known generic exploits.  An older category which will be deprecated soon.|
+|exploit|Known generic exploits.  An older category which will be deprecated soon.| |Y|
 |exploit-kit|Exploit kit activity.|
 |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).|
@@ Line 44: / Line 47: @@
 |file-pdf|PDF file vulnerabilities.|
 |file-other|File vulnerabilities, that do not fit into the other categories.|
-|finger|Finger service that runs by default on many Unix-based operating systems.|
+|finger|Finger service that runs by default on many Unix-based operating systems.| |Y|
-|ftp|FTP service.|
+|ftp|FTP service.| |Y|
-|icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.|
+|icmp|Pings specific to particular attack tools.| |Y|
-|icmp|Pings specific to particular attack tools.|
+|icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y|
-|imap|IMAP email service.|
+|imap|IMAP email service.| |Y|
 |indicator-compromise|The detection of a positively compromised system; false positives may occur.|
 |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.|
 |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".|
 |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".|
-|info|For troubleshooting.|
+|info|For troubleshooting.| |Y|
 |local|Local rules you create.|
 |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.|
@@ Line 59: / Line 62: @@
 |malware-other|Malware related, but do not fit into one of the other **malware** categories.|
 |malware-tools|Malicious in nature.|
-|misc|Miscellanious rules that do not fit easily into another category.|
+|misc|Miscellanious rules that do not fit easily into another category.| |Y|
-|multimedia|Streaming media.|Y|
+|multimedia|Streaming media.|Y|Y|
-|mysql|Unusual and potentially malicious MySQL traffic.|
+|mysql|Unusual and potentially malicious MySQL traffic.| |Y|
 |netbios|Administrative share access alerts on SMB and NetBIOS access.|
-|nntp|NNTP (Network time protocol servers).|
+|nntp|NNTP (Network time protocol servers).| |Y|
-|oracle|Oracle database servers.|
+|oracle|Oracle database servers.| |Y|
 |os-linux|Vulnerabilities in Linux based OSes.  Not for browsers or any other software on it, but simply against the OS itself.|
 |os-solaris|Vulnerabilities in Solaris based OSes.  Not for any browsers or any other software on top of the OS.|
@@ Line 70: / Line 73: @@
 |os-mobile|Vulnerabilites in Mobile based OSes.  Not for any browsers or any other software on the top of the OS.|
 |os-other|Vulnerabilities in an OS that is not listed above.|
-|other-ids|The use of other IDSs.|
+|other-ids|The use of other IDSs.| |Y|
-|p2p|The use of P2P (peer to peer software) protocols.|Y|
+|p2p|The use of P2P (peer to peer software) protocols.|Y|Y|
-|phishing-spam|Phishing spam.|
+|phishing-spam|Phishing spam.| |Y|
-|policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|
+|policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y|
 |policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y|
 |:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|:::|
@@ Line 79: / Line 82: @@
 |policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y|
 |policy-spam|Potential spam on the network.|Y|
-|pop2|POP2 email service.|
+|pop2|POP2 email service.| |Y|
-|pop3|POP3 email service.|
+|pop3|POP3 email service.| |Y|
 |porn|Porn.|Y|
 |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.|
@@ Line 101: / Line 104: @@
 |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.|
 |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)|
-|rpc|RPC (Remote Procedure Call).|
+|rpc|RPC (Remote Procedure Call).| |Y|
-|rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.|
+|rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y|
-|scada|Scada.|
+|scada|Scada.| |Y|
-|scan|Network scanners, including port scanning, IP mapping, and various application scanners.|
+|scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y|
 |server-apache|Apache Web Server.|
 |server-iis|Microsoft IIS Web server.|
@@ Line 115: / Line 118: @@
 |server-samba|Samba Servers.|
 |server-webapp|Web based applications on servers.|
-|shellcode|Detects shellcode in the packet payload.|
+|shellcode|Detects shellcode in the packet payload.| |Y|
 |:::|**WARNING:**  Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.|
-|smtp|SMTP email service.|
+|smtp|SMTP email service.| |Y|
-|snmp|SNMP traffic.  SNMP is used to manage devices on a network.|
+|snmp|SNMP traffic.  SNMP is used to manage devices on a network.| |Y|
-|specific-threats| |
+|specific-threats|Specific-threats.| |Y|
-|spyware-put|Spyware.|
+|spyware-put|Spyware.| |Y|
 |sql|SQL injection or other vulnerabilities against SQL like servers.|
-|telnet|Telnet exploits and unpassword protected accounts.|
+|telnet|Telnet exploits and unpassword protected accounts.| |Y|
-|tftp|DEPRECIATED RULES.  TFTP.|
+|tftp|TFTP.| |Y|
-|virus|Virus.  This rule set is not being actively maintained and the rules really just watch for a variety of file extensions transmitted in email traffic.|
+|virus|Virus.| |Y|
-|:::|The real virus signatures are located within specific service rules now.|
+|voip|VOIP.| |Y|
-|voip|VOIP.|
+|web-activex|ActiveX.| |Y|
-|web-activex|ActiveX.|
+|web-attacks|Web servers and Web form variable vulnerabilities.| |Y|
-|web-attacks|Web servers and Web form variable vulnerabilities.|
+|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y|
-|web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.|
+|web-client|Bad things coming from users, and attacks against web users.| |Y|
-|web-client|Bad things coming from users, and attacks against web users.|
+|web-coldfusion|Coldfusion web application services.| |Y|
-|web-coldfusion|Coldfusion web application services.|
+|web-frontpage|Frontpage web authoring services.| |Y|
-|web-frontpage|Frontpage web authoring services.|
+|web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y|
-|web-iis|Microsoft Internet Information Server (IIS) web servers.|
+|web-misc|Generic web attacks.| |Y|
-|web-misc|Generic web attacks.|
+|web-php|Attacks against web servers running PHP applications.| |Y|
-|web-php|Attacks against web servers running PHP applications.|
+|x11|X11 usage or other vulnerabilities against X11 like servers.| |Y|
-|x11|X11 usage or other vulnerabilities against X11 like servers.|