ids:rule_categories:snort_rule_set_categories
This is an old revision of the document!
IDS - Rule Categories - Snort Rule Set Categories
NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
Protects against attacks and exploits of:
| Category | Description |
|---|---|
| app-detect | Applications that generate network activity. |
| blacklist | URI, USER-AGENT, DNS, and IP address rules that have been determined to be indicators of malicious activity. |
| browser-chrome | Chrome browser vulnerabilities. |
| This is separate from the browser-webkit category, as Chrome has enough vulnerabilities itself. | |
| browser-firefox | Firefox browser vulnerabilities. |
| Includes products that have the Gecko engine. (Thunderbird email client, etc). | |
| browser-ie | Internet Explorer vulnerabilities. |
| browser-webkit | Webkit browser engine vulnerabilities. |
| Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome. | |
| browser-other | Other browser vulnerabilities not listed above. |
| browser-plugins | Browser plugin vulnerabilities, such as Active-x. |
| content-replace | Any rule that utilizes the replace functionality inside of Snort. |
| deleted | Deprecated or superseeded rules. |
| exploit | An older category which will be deprecated soon. This category looks for exploits against software in a generic form. |
| exploit-kit | Exploit kit activity. |
| This does not include post-compromise rules (as those would be in indicator-compromise). | |
| file-executable | Executable file vulnerabilities. |
| file-flash | Flash file vulnerabilities. Either compressed or uncompressed. |
| file-image | Images file vulnerabilities. (jpg, png, gif, bmp, etc). |
| file-identify | Identify files through file extension, the content in the file (file magic), or header found in the traffic. |
| This information is usually used to then set a flowbit to be used in a different rule. | |
| file-java | Java file vulnerabilities. (.jar) |
| file-multimedia | Multimedia file vulnerabilities. (mp3, movies, wmv) |
| file-office | Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc) |
| file-pdf | PDF file vulnerabilities. |
| file-other | File vulnerabilities, that do not fit into the other categories. |
| indicator-compromise | The detection of a positively compromised system; false positives may occur. |
| indicator-obfuscation | The detection of obfuscated content. Like encoded JavaScript rules. |
| indicator-shellcode | Detection of Shellcode. This replaces the old “shellcode.rules”. |
| indicator-scan | Detection of network scanning. This replaces the old “scan.rules”. |
| malware-backdoor | Detection of traffic destined to known listening backdoor command channels. |
| malware-cnc | Identified botnet traffic. |
| malware-tools | Malicious in nature. |
| malware-other | Malware related, but do not fit into one of the other malware categories. |
| os-linux | Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself. |
| os-solaris | Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS. |
| os-windows | Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS. |
| os-mobile | Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS. |
| os-other | Vulnerabilities in an OS that is not listed above. |
| policy-multimedia | Potential violations of policy for multimedia, such as the use of iTunes on the network. |
| This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia. | |
| policy-social | Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc). |
| policy-spam | Potential spam on the network. |
| policy-other | May violate the end-users corporate policy but do not fall into any of the other policy categories first. |
| protocol-dns | The presence of DNS protocol or vulnerabilities on the network. |
| protocol-finger | The presence of the finger protocol or vulnerabilities on the network. |
| protocol-ftp | The presence of the FTP protocol or vulnerabilities on the network. |
| protocol-icmp | The presence of ICMP traffic or vulnerabilities on the network. |
| protocol-imap | The presence of the IMAP protocol or vulnerabilities on the network. |
| protocol-nntp | The presence of the NNTP protocol or vulnerabilities on the network. |
| protocol-pop | The presence of the POP protocol or vulnerabilities on the network. |
| protocol-rpc | The presence of the RPC protocol or vulnerabilities on the network. |
| protocol-scada | The presence of SCADA protocols or vulnerabilities on the network. |
| protocol-services | The presence of the rservices protocol or vulnerabilities on the network. |
| protocol-snmp | The presence of the SNMP protocol or vulnerabilities on the network. |
| protocol-telnet | The presence of the telnet protocol or vulnerabilities on the network. |
| protocol-tftp | The presence of the TFTP protocol or vulnerabilities on the network. |
| protocol-voip | The presence of VOIP services or vulnerabilities on the network. |
| protocol-other | Potential vulnerabilties in protocols, that do not fit into one of the other “protocol” rule files. |
| pua-adware | Potentially Unwanted Applications (pau) that deal with adware or spyware. |
| pua-p2p | Potentially Unwanted Applications (pau) that deal with p2p. |
| pua-toolbars | Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc) |
| pua-other | Potentially Unwanted Applications (pau) that do not fit into one of the categories shown above. |
| server-apache | Apache Web Server. |
| server-iis | Microsoft IIS Web server. |
| server-mssql | Microsoft SQL Server. |
| server-mysql | Oracle MySQL server. |
| server-oracle | Oracle DB Server. |
| server-samba | Samba Servers. |
| server-webapp | Web based applications on servers. |
| server-mail | Mail servers. (Exchange, Courier). |
| These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself. | |
| server-other | Vulnerabilities or attacks against servers that are not detailed in the above list. |
| sql | SQL injection or other vulnerabilities against SQL like servers. |
| x11 | X11 usage or other vulnerabilities against X11 like servers. |
References
ids/rule_categories/snort_rule_set_categories.1626791388.txt.gz · Last modified: 2021/07/20 14:29 by peter