====== IDS - Rule Categories - Emerging Threat Categories ====== **NOTE:** Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes. Protects against attacks and exploits of: ^Category^Description^Reference^ |3CORESec|Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.|https://blacklist.3coresec.net/lists/et-open.txt| |ActiveX|Attacks and vulnerabilities regarding Microsoft ActiveX controls.| | |Adware-PUP|Ad-tracking and spyware related activity.| | |Attack Response|Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.| | |:::|These are designed to catch the results of a successful attack. Things like "id=root", or error messages that indicate a compromise may have happened.|:::| |Botcc (Bot Command and Control)|Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.|https://www.shadowserver.org| |Botcc Portgrouped|Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.| | |Chat|Chat clients such as Internet Relay Chat (IRC).| | |CIArmy|Generated using Collective Intelligence IP blocking rules.|https://www.cinsscore.com| |Coinmining|Malware which performs coin mining.| | |Compromised|Known compromised hosts; updated daily from several private but highly reliable data sources.| | |:::|**WARNING:** This category can add significant processing load. In a high-capacity situation it is recommended to use the Botcc rules instead.| | |Current Events|Active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.| | |:::|The rules in this category are not intended to be kept in the ruleset for long.| | |Deleted|Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.| | |DNS|Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.| | |DOS|Denial of Service (DoS) attempts.| | |Drop|To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.|https://www.spamhaus.org| |Dshield|Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.|https://www.dshield.org| |Exploit|Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.| | |:::|Attacks with their own category such as SQL injection have their own category.| | |Exploit-Kit|Activity related to Exploit Kits.| | |FTP|Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).| | |:::|Also includes basic none malicious FTP activity for logging purposes, such as login, etc.|:::| |Games|Gaming traffic.| | |:::|Not necessarily evil, just not appropriate for all environments.|:::| |Hunting|Threat hunting in an environment.| | |:::|**WARNING:** These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.| | |ICMP|Internet Control Message Protocol (ICMP).| | |ICMP_info|ICMP protocol specific events, typically associated with normal operations for logging purposes.| | |IMAP|Internet Message Access Protocol (IMAP).| | |Inappropriate|Sites that are pornographic or otherwise not appropriate for a work environment.| | |:::|**WARNING:** This category can have a significant performance impact and high rate of false positives.| | |Info|Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats| | |:::|Example: Downloading an Executable over HTTP by IP address rather than domain name.| | |JA3|Fingerprints malicious SSL certificates using JA3 hashes.| | |:::|**WARNING:** These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.| | |**Malware**|Malicious software and Spyware related.| | |Misc|Not covered in other categories.| | |Mobile Malware|Malware associated with mobile and tablet operating systems.| |:::|Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.| | |NETBIOS|Attacks, exploits and vulnerabilities regarding Netbios.| | |:::|Also included are rules detecting basic activity of the protocol for logging purposes.|:::| |P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.| |:::|Not necessarily evil, just not appropriate for all environments.|:::| |Phishing|Phishing activity.| | |Policy|May indicate violations against policies of an organization.| | |:::|Includes DropBox, Google Apps, Myspace, Ebay, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers.|:::| |POP3|Post Office Protocol 3.0 (POP3).| | |RPC|Remote Procedure Call (RPC).| |SCADA|Supervisory control and data acquisition (SCADA).| | |SCADA_special|Signatures written for Snort Digital Bond based SCADA preprocessor.| | |SCAN|Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.| | |Shellcode|Remote shellcode detection.| | |SMTP|Attacks, exploits, and vulnerabilities regarding Simple Mail Transfer Protocol (SMTP).| | |:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::| |SNMP|attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP).| | |:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::| |SQL|attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL).| | |:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::| |TELNET|attacks and vulnerabilities regarding the TELNET service.| | |:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::| |TFTP|attacks and vulnerabilities regarding the Trivial File Transport Protocol (TFTP).| | |:::|Also includes rules detecting basic activity of the protocol for logging purposes.|:::| |TOR|Identification of traffic to and from TOR exit nodes based on IP address.| | |Trojan|A legacy category not used in new versions of Suricata. Super-seeded by the Malware category.| | |User Agents|Suspicious and anomalous user agents.| | |:::|Known malicious user agents are generally placed in the Malware category.| | |VOIP|Attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others.| | |Web Client|Web clients such as web browsers as well as client side applications like CURL, WGET and others.| | |Web Server|Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.| | |Web Specific Apps|Attacks and vulnerabilities in specific web applications.| | |WORM|Worm-like propagation.| | ---- ===== References ===== https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf