IDS - Rule Categories - Snort Rule Set Categories

NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.

Policy: Are policy-based rules, so can be not used is not against company policy.
Depreciated: Abandoned and depreciated rules.

Protects against attacks and exploits of:

Category	Description	Policy	Depreciated
app-detect	Applications that generate network activity.
attack-responses	Usually occurs after a machine has been compromised.		Y
backdoor	Backdoor Trojan activity; the target machine may already be compromised.		Y
bad-traffic	Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.		Y
blacklist	URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.
botnet-cnc	Botnets.		Y
browser-chrome	Chrome browser vulnerabilities.
browser-chrome	This is separate from the browser-webkit category, as Chrome has enough vulnerabilities itself.
browser-firefox	Firefox browser vulnerabilities.
browser-firefox	Includes products that have the Gecko engine. (Thunderbird email client, etc).
browser-ie	Internet Explorer vulnerabilities.
browser-webkit	Webkit browser engine vulnerabilities.
browser-webkit	Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome.
browser-other	Other browser vulnerabilities not listed above.
browser-plugins	Browser plugin vulnerabilities, such as Active-x.
chat	Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.	Y	Y
content-replace	Any rule that utilizes the replace functionality inside of Snort.
ddos	Distributed denial of service (DDoS).		Y
deleted	Deprecated or super-seeded rules.		Y
dns	DNS, including detection of zone transfers.		Y
dos	Denial of service (DoS), including IGMP and teardrop attacks.		Y
experimental	Experimental rules, mostly where new types of rules are included. May be empty.		Y
exploit	Known generic exploits. An older category which will be deprecated soon.		Y
exploit-kit	Exploit kit activity.
exploit-kit	This does not include post-compromise rules (as those would be in indicator-compromise).
file-executable	Executable file vulnerabilities.
file-flash	Flash file vulnerabilities. Either compressed or uncompressed.
file-image	Images file vulnerabilities. (jpg, png, gif, bmp, etc).
file-identify	Identify files through file extension, the content in the file (file magic), or header found in the traffic.
file-identify	This information is usually used to then set a flowbit to be used in a different rule.
file-java	Java file vulnerabilities. (.jar)
file-multimedia	Multimedia file vulnerabilities. (mp3, movies, wmv)
file-office	Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc)
file-pdf	PDF file vulnerabilities.
file-other	File vulnerabilities, that do not fit into the other categories.
finger	Finger service that runs by default on many Unix-based operating systems.		Y
ftp	FTP service.		Y
icmp	Pings specific to particular attack tools.		Y
icmp-info	For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.		Y
imap	IMAP email service.		Y
indicator-compromise	The detection of a positively compromised system; false positives may occur.
indicator-obfuscation	The detection of obfuscated content. Like encoded JavaScript rules.
indicator-shellcode	Detection of Shellcode. This replaces the old “shellcode.rules”.
indicator-scan	Detection of network scanning. This replaces the old “scan.rules”.
info	For troubleshooting.		Y
local	Local rules you create.
malware-backdoor	Detection of traffic destined to known listening backdoor command channels.
malware-cnc	Identified botnet traffic.
malware-other	Malware related, but do not fit into one of the other malware categories.
malware-tools	Malicious in nature.
misc	Miscellanious rules that do not fit easily into another category.		Y
multimedia	Streaming media.	Y	Y
mysql	Unusual and potentially malicious MySQL traffic.		Y
netbios	Administrative share access alerts on SMB and NetBIOS access.
nntp	NNTP (Network time protocol servers).		Y
oracle	Oracle database servers.		Y
os-linux	Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.
os-solaris	Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.
os-windows	Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS.
os-mobile	Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS.
os-other	Vulnerabilities in an OS that is not listed above.
other-ids	The use of other IDSs.		Y
p2p	The use of P2P (peer to peer software) protocols.	Y	Y
phishing-spam	Phishing spam.		Y
policy	Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.	Y	Y
policy-multimedia	Potential violations of policy for multimedia, such as the use of iTunes on the network.	Y
policy-multimedia	This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.	Y
policy-other	May violate the end-users corporate policy but do not fall into any of the other policy categories first.	Y
policy-social	Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).	Y
policy-spam	Potential spam on the network.	Y
pop2	POP2 email service.		Y
pop3	POP3 email service.		Y
porn	Porn.	Y
protocol-dns	The presence of DNS protocol or vulnerabilities on the network.
protocol-finger	The presence of the finger protocol or vulnerabilities on the network.
protocol-ftp	The presence of the FTP protocol or vulnerabilities on the network.
protocol-icmp	The presence of ICMP traffic or vulnerabilities on the network.
protocol-imap	The presence of the IMAP protocol or vulnerabilities on the network.
protocol-nntp	The presence of the NNTP protocol or vulnerabilities on the network.
protocol-other	Potential vulnerabilties in protocols, that do not fit into one of the other “protocol” rule files.
protocol-pop	The presence of the POP protocol or vulnerabilities on the network.
protocol-rpc	The presence of the RPC protocol or vulnerabilities on the network.
protocol-scada	The presence of SCADA protocols or vulnerabilities on the network.
protocol-services	The presence of the rservices protocol or vulnerabilities on the network.
protocol-snmp	The presence of the SNMP protocol or vulnerabilities on the network.
protocol-telnet	The presence of the telnet protocol or vulnerabilities on the network.
protocol-tftp	The presence of the TFTP protocol or vulnerabilities on the network.
protocol-voip	The presence of VOIP services or vulnerabilities on the network.
pua-adware	Potentially Unwanted Applications (pau) that deal with adware or spyware.
pua-other	Potentially Unwanted Applications (pau) that do not fit into one of the “pau” categories.
pua-p2p	Potentially Unwanted Applications (pau) that deal with p2p.
pua-toolbars	Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)
rpc	RPC (Remote Procedure Call).		Y
rservices	The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.		Y
scada	Scada.		Y
scan	Network scanners, including port scanning, IP mapping, and various application scanners.		Y
server-apache	Apache Web Server.
server-iis	Microsoft IIS Web server.
server-mail	Mail servers. (Exchange, Courier).
server-mail	These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.
server-mssql	Microsoft SQL Server.
server-mysql	Oracle MySQL server.
server-oracle	Oracle DB Server.
server-other	Vulnerabilities or attacks against servers that are not detailed in other “server” categories.
server-samba	Samba Servers.
server-webapp	Web based applications on servers.
shellcode	Detects shellcode in the packet payload.		Y
shellcode	WARNING: Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.
smtp	SMTP email service.		Y
snmp	SNMP traffic. SNMP is used to manage devices on a network.		Y
specific-threats	Specific-threats.		Y
spyware-put	Spyware.		Y
sql	SQL injection or other vulnerabilities against SQL like servers.
telnet	Telnet exploits and unpassword protected accounts.		Y
tftp	TFTP.		Y
virus	Virus.		Y
voip	VOIP.		Y
web-activex	ActiveX.		Y
web-attacks	Web servers and Web form variable vulnerabilities.		Y
web-cgi	CGI (Common Gateway Interface) which web servers use to execute external programs.		Y
web-client	Bad things coming from users, and attacks against web users.		Y
web-coldfusion	Coldfusion web application services.		Y
web-frontpage	Frontpage web authoring services.		Y
web-iis	Microsoft Internet Information Server (IIS) web servers.		Y
web-misc	Generic web attacks.		Y
web-php	Attacks against web servers running PHP applications.		Y
x11	X11 usage or other vulnerabilities against X11 like servers.		Y

References

https://www.snort.org/rules_explanation

https://blog.snort.org/2012/03/rule-category-reorganization.html