====== IDS - Rule Categories - Snort Rule Set Categories ====== **NOTE:** Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes. * **Policy**: Are policy-based rules, so can be not used is not against company policy. * **Depreciated**: Abandoned and depreciated rules. Protects against attacks and exploits of: ^Category^Description^Policy^Depreciated^ |app-detect|Applications that generate network activity.| |attack-responses|Usually occurs after a machine has been compromised.| |Y| |backdoor|Backdoor Trojan activity; the target machine may already be compromised.| |Y| |bad-traffic|Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.| |Y| |blacklist|URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.| |botnet-cnc|Botnets.| |Y| |browser-chrome|Chrome browser vulnerabilities.| |:::|This is separate from the **browser-webkit** category, as Chrome has enough vulnerabilities itself.| |browser-firefox|Firefox browser vulnerabilities.| |:::|Includes products that have the **Gecko** engine. (Thunderbird email client, etc).| |browser-ie|Internet Explorer vulnerabilities.| |browser-webkit|Webkit browser engine vulnerabilities.| |:::|Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome.| |browser-other|Other browser vulnerabilities not listed above.| |browser-plugins|Browser plugin vulnerabilities, such as Active-x.| |chat|Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.|Y|Y| |content-replace|Any rule that utilizes the **replace** functionality inside of Snort.| |ddos|Distributed denial of service (DDoS).| |Y| |deleted|Deprecated or super-seeded rules.| |Y| |dns|DNS, including detection of zone transfers.| |Y| |dos|Denial of service (DoS), including IGMP and teardrop attacks.| |Y| |experimental|Experimental rules, mostly where new types of rules are included. May be empty.| |Y| |exploit|Known generic exploits. An older category which will be deprecated soon.| |Y| |exploit-kit|Exploit kit activity.| |:::|This does not include **post-compromise** rules (as those would be in indicator-compromise).| |file-executable|Executable file vulnerabilities.| |file-flash|Flash file vulnerabilities. Either compressed or uncompressed.| |file-image|Images file vulnerabilities. (jpg, png, gif, bmp, etc).| |file-identify|Identify files through file extension, the content in the file (file magic), or header found in the traffic.| |:::|This information is usually used to then set a flowbit to be used in a different rule.| |file-java|Java file vulnerabilities. (.jar)| |file-multimedia|Multimedia file vulnerabilities. (mp3, movies, wmv)| |file-office|Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc)| |file-pdf|PDF file vulnerabilities.| |file-other|File vulnerabilities, that do not fit into the other categories.| |finger|Finger service that runs by default on many Unix-based operating systems.| |Y| |ftp|FTP service.| |Y| |icmp|Pings specific to particular attack tools.| |Y| |icmp-info|For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.| |Y| |imap|IMAP email service.| |Y| |indicator-compromise|The detection of a positively compromised system; false positives may occur.| |indicator-obfuscation|The detection of obfuscated content. Like encoded JavaScript rules.| |indicator-shellcode|Detection of Shellcode. This replaces the old "shellcode.rules".| |indicator-scan|Detection of network scanning. This replaces the old "scan.rules".| |info|For troubleshooting.| |Y| |local|Local rules you create.| |malware-backdoor|Detection of traffic destined to known listening backdoor command channels.| |malware-cnc|Identified botnet traffic.| |malware-other|Malware related, but do not fit into one of the other **malware** categories.| |malware-tools|Malicious in nature.| |misc|Miscellanious rules that do not fit easily into another category.| |Y| |multimedia|Streaming media.|Y|Y| |mysql|Unusual and potentially malicious MySQL traffic.| |Y| |netbios|Administrative share access alerts on SMB and NetBIOS access.| |nntp|NNTP (Network time protocol servers).| |Y| |oracle|Oracle database servers.| |Y| |os-linux|Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.| |os-solaris|Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.| |os-windows|Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS.| |os-mobile|Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS.| |os-other|Vulnerabilities in an OS that is not listed above.| |other-ids|The use of other IDSs.| |Y| |p2p|The use of P2P (peer to peer software) protocols.|Y|Y| |phishing-spam|Phishing spam.| |Y| |policy|Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.|Y|Y| |policy-multimedia|Potential violations of policy for multimedia, such as the use of iTunes on the network.|Y| |:::|This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.|:::| |policy-other|May violate the end-users corporate policy but do not fall into any of the other policy categories first.|Y| |policy-social|Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).|Y| |policy-spam|Potential spam on the network.|Y| |pop2|POP2 email service.| |Y| |pop3|POP3 email service.| |Y| |porn|Porn.|Y| |protocol-dns|The presence of DNS protocol or vulnerabilities on the network.| |protocol-finger|The presence of the finger protocol or vulnerabilities on the network.| |protocol-ftp|The presence of the FTP protocol or vulnerabilities on the network.| |protocol-icmp|The presence of ICMP traffic or vulnerabilities on the network.| |protocol-imap|The presence of the IMAP protocol or vulnerabilities on the network.| |protocol-nntp|The presence of the NNTP protocol or vulnerabilities on the network.| |protocol-other|Potential vulnerabilties in protocols, that do not fit into one of the other "protocol" rule files.| |protocol-pop|The presence of the POP protocol or vulnerabilities on the network.| |protocol-rpc|The presence of the RPC protocol or vulnerabilities on the network.| |protocol-scada|The presence of SCADA protocols or vulnerabilities on the network.| |protocol-services|The presence of the rservices protocol or vulnerabilities on the network.| |protocol-snmp|The presence of the SNMP protocol or vulnerabilities on the network.| |protocol-telnet|The presence of the telnet protocol or vulnerabilities on the network.| |protocol-tftp|The presence of the TFTP protocol or vulnerabilities on the network.| |protocol-voip|The presence of VOIP services or vulnerabilities on the network.| |pua-adware|Potentially Unwanted Applications (pau) that deal with adware or spyware.| |pua-other|Potentially Unwanted Applications (pau) that do not fit into one of the "pau" categories.| |pua-p2p|Potentially Unwanted Applications (pau) that deal with p2p.| |pua-toolbars|Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)| |rpc|RPC (Remote Procedure Call).| |Y| |rservices|The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.| |Y| |scada|Scada.| |Y| |scan|Network scanners, including port scanning, IP mapping, and various application scanners.| |Y| |server-apache|Apache Web Server.| |server-iis|Microsoft IIS Web server.| |server-mail|Mail servers. (Exchange, Courier).| |:::|These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.| |server-mssql|Microsoft SQL Server.| |server-mysql|Oracle MySQL server.| |server-oracle|Oracle DB Server.| |server-other|Vulnerabilities or attacks against servers that are not detailed in other "server" categories.| |server-samba|Samba Servers.| |server-webapp|Web based applications on servers.| |shellcode|Detects shellcode in the packet payload.| |Y| |:::|**WARNING:** Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.| |smtp|SMTP email service.| |Y| |snmp|SNMP traffic. SNMP is used to manage devices on a network.| |Y| |specific-threats|Specific-threats.| |Y| |spyware-put|Spyware.| |Y| |sql|SQL injection or other vulnerabilities against SQL like servers.| |telnet|Telnet exploits and unpassword protected accounts.| |Y| |tftp|TFTP.| |Y| |virus|Virus.| |Y| |voip|VOIP.| |Y| |web-activex|ActiveX.| |Y| |web-attacks|Web servers and Web form variable vulnerabilities.| |Y| |web-cgi|CGI (Common Gateway Interface) which web servers use to execute external programs.| |Y| |web-client|Bad things coming from users, and attacks against web users.| |Y| |web-coldfusion|Coldfusion web application services.| |Y| |web-frontpage|Frontpage web authoring services.| |Y| |web-iis|Microsoft Internet Information Server (IIS) web servers.| |Y| |web-misc|Generic web attacks.| |Y| |web-php|Attacks against web servers running PHP applications.| |Y| |x11|X11 usage or other vulnerabilities against X11 like servers.| |Y| ---- ===== References ===== https://www.snort.org/rules_explanation https://blog.snort.org/2012/03/rule-category-reorganization.html