ids:rule_categories:snort_rule_set_categories
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| ids:rule_categories:snort_rule_set_categories [2021/07/24 12:10] – peter | ids:rule_categories:snort_rule_set_categories [2021/07/24 12:22] (current) – peter | ||
|---|---|---|---|
| Line 17: | Line 17: | ||
| |bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y| | |bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y| | ||
| |blacklist|URI, | |blacklist|URI, | ||
| - | |botnet-cnc|Botnets.| | + | |botnet-cnc|Botnets.| |Y| |
| |browser-chrome|Chrome browser vulnerabilities.| | |browser-chrome|Chrome browser vulnerabilities.| | ||
| |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.| | |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.| | ||
| Line 27: | Line 27: | ||
| |browser-other|Other browser vulnerabilities not listed above.| | |browser-other|Other browser vulnerabilities not listed above.| | ||
| |browser-plugins|Browser plugin vulnerabilities, | |browser-plugins|Browser plugin vulnerabilities, | ||
| - | |chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y| | + | |chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y| |
| |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.| | |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.| | ||
| - | |ddos|Distributed denial of service (DDoS).| | + | |ddos|Distributed denial of service (DDoS).| |Y| |
| - | |deleted|Deprecated or super-seeded rules.| | + | |deleted|Deprecated or super-seeded rules.| |Y| |
| - | |dns|DNS, including detection of zone transfers.| | + | |dns|DNS, including detection of zone transfers.| |Y| |
| - | |dos|Denial of service (DoS), including IGMP and teardrop attacks.| | + | |dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y| |
| - | |experimental|Experimental rules, mostly where new types of rules are included. | + | |experimental|Experimental rules, mostly where new types of rules are included. |
| - | |exploit|Known generic exploits. | + | |exploit|Known generic exploits. |
| |exploit-kit|Exploit kit activity.| | |exploit-kit|Exploit kit activity.| | ||
| |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).| | |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).| | ||
| Line 47: | Line 47: | ||
| |file-pdf|PDF file vulnerabilities.| | |file-pdf|PDF file vulnerabilities.| | ||
| |file-other|File vulnerabilities, | |file-other|File vulnerabilities, | ||
| - | |finger|Finger service that runs by default on many Unix-based operating systems.| | + | |finger|Finger service that runs by default on many Unix-based operating systems.| |Y| |
| - | |ftp|FTP service.| | + | |ftp|FTP service.| |Y| |
| - | |icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| | + | |icmp|Pings specific to particular attack tools.| |Y| |
| - | |icmp|Pings specific to particular attack tools.| | + | |icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y| |
| - | |imap|IMAP email service.| | + | |imap|IMAP email service.| |Y| |
| |indicator-compromise|The detection of a positively compromised system; false positives may occur.| | |indicator-compromise|The detection of a positively compromised system; false positives may occur.| | ||
| |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.| | |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.| | ||
| |indicator-shellcode|Detection of Shellcode. This replaces the old " | |indicator-shellcode|Detection of Shellcode. This replaces the old " | ||
| |indicator-scan|Detection of network scanning. This replaces the old " | |indicator-scan|Detection of network scanning. This replaces the old " | ||
| - | |info|For troubleshooting.| | + | |info|For troubleshooting.| |Y| |
| |local|Local rules you create.| | |local|Local rules you create.| | ||
| |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.| | |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.| | ||
| Line 62: | Line 62: | ||
| |malware-other|Malware related, but do not fit into one of the other **malware** categories.| | |malware-other|Malware related, but do not fit into one of the other **malware** categories.| | ||
| |malware-tools|Malicious in nature.| | |malware-tools|Malicious in nature.| | ||
| - | |misc|Miscellanious rules that do not fit easily into another category.| | + | |misc|Miscellanious rules that do not fit easily into another category.| |Y| |
| - | |multimedia|Streaming media.|Y| | + | |multimedia|Streaming media.|Y|Y| |
| - | |mysql|Unusual and potentially malicious MySQL traffic.| | + | |mysql|Unusual and potentially malicious MySQL traffic.| |Y| |
| |netbios|Administrative share access alerts on SMB and NetBIOS access.| | |netbios|Administrative share access alerts on SMB and NetBIOS access.| | ||
| - | |nntp|NNTP (Network time protocol servers).| | + | |nntp|NNTP (Network time protocol servers).| |Y| |
| - | |oracle|Oracle database servers.| | + | |oracle|Oracle database servers.| |Y| |
| |os-linux|Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.| | |os-linux|Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.| | ||
| |os-solaris|Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.| | |os-solaris|Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.| | ||
| Line 73: | Line 73: | ||
| |os-mobile|Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS.| | |os-mobile|Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS.| | ||
| |os-other|Vulnerabilities in an OS that is not listed above.| | |os-other|Vulnerabilities in an OS that is not listed above.| | ||
| - | |other-ids|The use of other IDSs.| | + | |other-ids|The use of other IDSs.| |Y| |
| - | |p2p|The use of P2P (peer to peer software) protocols.|Y| | + | |p2p|The use of P2P (peer to peer software) protocols.|Y|Y| |
| - | |phishing-spam|Phishing spam.| | + | |phishing-spam|Phishing spam.| |Y| |
| - | |policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y| | + | |policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y| |
| |policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y| | |policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y| | ||
| |:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|::: | |:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|::: | ||
| Line 82: | Line 82: | ||
| |policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y| | |policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y| | ||
| |policy-spam|Potential spam on the network.|Y| | |policy-spam|Potential spam on the network.|Y| | ||
| - | |pop2|POP2 email service.| | + | |pop2|POP2 email service.| |Y| |
| - | |pop3|POP3 email service.| | + | |pop3|POP3 email service.| |Y| |
| |porn|Porn.|Y| | |porn|Porn.|Y| | ||
| |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.| | |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.| | ||
| Line 104: | Line 104: | ||
| |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.| | |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.| | ||
| |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)| | |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)| | ||
| - | |rpc|RPC (Remote Procedure Call).| | + | |rpc|RPC (Remote Procedure Call).| |Y| |
| - | |rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| | + | |rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y| |
| - | |scada|Scada.| | + | |scada|Scada.| |Y| |
| - | |scan|Network scanners, including port scanning, IP mapping, and various application scanners.| | + | |scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y| |
| |server-apache|Apache Web Server.| | |server-apache|Apache Web Server.| | ||
| |server-iis|Microsoft IIS Web server.| | |server-iis|Microsoft IIS Web server.| | ||
| Line 118: | Line 118: | ||
| |server-samba|Samba Servers.| | |server-samba|Samba Servers.| | ||
| |server-webapp|Web based applications on servers.| | |server-webapp|Web based applications on servers.| | ||
| - | |shellcode|Detects shellcode in the packet payload.| | + | |shellcode|Detects shellcode in the packet payload.| |Y| |
| |::: | |::: | ||
| - | |smtp|SMTP email service.| | + | |smtp|SMTP email service.| |Y| |
| - | |snmp|SNMP traffic. | + | |snmp|SNMP traffic. |
| - | |specific-threats| | | + | |specific-threats|Specific-threats.| |Y| |
| - | |spyware-put|Spyware.| | + | |spyware-put|Spyware.| |Y| |
| |sql|SQL injection or other vulnerabilities against SQL like servers.| | |sql|SQL injection or other vulnerabilities against SQL like servers.| | ||
| - | |telnet|Telnet exploits and unpassword protected accounts.| | + | |telnet|Telnet exploits and unpassword protected accounts.| |Y| |
| - | |tftp|DEPRECIATED RULES. | + | |tftp|TFTP.| |Y| |
| - | |virus|Virus. This rule set is not being actively maintained and the rules really just watch for a variety of file extensions transmitted in email traffic.| | + | |virus|Virus.| |Y| |
| - | |:::|The real virus signatures are located within specific service rules now.| | + | |voip|VOIP.| |Y| |
| - | |voip|VOIP.| | + | |web-activex|ActiveX.| |Y| |
| - | |web-activex|ActiveX.| | + | |web-attacks|Web servers and Web form variable vulnerabilities.| |Y| |
| - | |web-attacks|Web servers and Web form variable vulnerabilities.| | + | |web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y| |
| - | |web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| | + | |web-client|Bad things coming from users, and attacks against web users.| |Y| |
| - | |web-client|Bad things coming from users, and attacks against web users.| | + | |web-coldfusion|Coldfusion web application services.| |Y| |
| - | |web-coldfusion|Coldfusion web application services.| | + | |web-frontpage|Frontpage web authoring services.| |Y| |
| - | |web-frontpage|Frontpage web authoring services.| | + | |web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y| |
| - | |web-iis|Microsoft Internet Information Server (IIS) web servers.| | + | |web-misc|Generic web attacks.| |Y| |
| - | |web-misc|Generic web attacks.| | + | |web-php|Attacks against web servers running PHP applications.| |Y| |
| - | |web-php|Attacks against web servers running PHP applications.| | + | |x11|X11 usage or other vulnerabilities against X11 like servers.| |Y| |
| - | |x11|X11 usage or other vulnerabilities against X11 like servers.| | + | |
ids/rule_categories/snort_rule_set_categories.1627128600.txt.gz · Last modified: 2021/07/24 12:10 by peter