ids:rule_categories:snort_rule_set_categories
This is an old revision of the document!
IDS - Rule Categories - Snort Rule Set Categories
NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
Protects against attacks and exploits of:
| Category | Description |
|---|---|
| app-detect | Applications that generate network activity. |
| attack-responses | Usually occur after a machine has been compromised. |
| backdoor | Trojan activity; the target machine may already be compromised. |
| bad-traffic | Traffic that should never be seen on any network. |
| blacklist | URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity. |
| botnet-cnc | Botnets. |
| browser-chrome | Chrome browser vulnerabilities. |
| This is separate from the browser-webkit category, as Chrome has enough vulnerabilities itself. | |
| browser-firefox | Firefox browser vulnerabilities. |
| Includes products that have the Gecko engine. (Thunderbird email client, etc). | |
| browser-ie | Internet Explorer vulnerabilities. |
| browser-webkit | Webkit browser engine vulnerabilities. |
| Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome. | |
| browser-other | Other browser vulnerabilities not listed above. |
| browser-plugins | Browser plugin vulnerabilities, such as Active-x. |
| chat | Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy. |
| content-replace | Any rule that utilizes the replace functionality inside of Snort. |
| ddos | Distributed denial of service (DDoS). |
| deleted | Deprecated or superseeded rules. |
| dos | Denial of service (DoS). |
| experimental | Experimental rules. |
| exploit | An older category which will be deprecated soon. This category looks for exploits against software in a generic form. |
| exploit-kit | Exploit kit activity. |
| This does not include post-compromise rules (as those would be in indicator-compromise). | |
| file-executable | Executable file vulnerabilities. |
| file-flash | Flash file vulnerabilities. Either compressed or uncompressed. |
| file-image | Images file vulnerabilities. (jpg, png, gif, bmp, etc). |
| file-identify | Identify files through file extension, the content in the file (file magic), or header found in the traffic. |
| This information is usually used to then set a flowbit to be used in a different rule. | |
| file-java | Java file vulnerabilities. (.jar) |
| file-multimedia | Multimedia file vulnerabilities. (mp3, movies, wmv) |
| file-office | Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc) |
| file-pdf | PDF file vulnerabilities. |
| file-other | File vulnerabilities, that do not fit into the other categories. |
| indicator-compromise | The detection of a positively compromised system; false positives may occur. |
| indicator-obfuscation | The detection of obfuscated content. Like encoded JavaScript rules. |
| indicator-shellcode | Detection of Shellcode. This replaces the old “shellcode.rules”. |
| indicator-scan | Detection of network scanning. This replaces the old “scan.rules”. |
| local | Local rules. |
| malware-backdoor | Detection of traffic destined to known listening backdoor command channels. |
| malware-cnc | Identified botnet traffic. |
| malware-other | Malware related, but do not fit into one of the other malware categories. |
| malware-tools | Malicious in nature. |
| misc | Web Miscellanious. |
| multimedia | Streaming media may be a violation of corporate policies. |
| mysql | Unusual and potentially malicious mysql traffic. |
| netbios | Netbios. |
| nntp | NNTP. |
| oracle | Oracle. |
| os-linux | Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself. |
| os-solaris | Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS. |
| os-windows | Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS. |
| os-mobile | Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS. |
| os-other | Vulnerabilities in an OS that is not listed above. |
| other-ids | The use of other IDSs. |
| p2p | The use of P2P protocols, which are usually against corporate policy. |
| phishing-spam | Phishing spam. |
| policy | Policy rules, which are usually against corporate policy. |
| policy-multimedia | Potential violations of policy for multimedia, such as the use of iTunes on the network. |
| This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia. | |
| policy-other | May violate the end-users corporate policy but do not fall into any of the other policy categories first. |
| policy-social | Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc). |
| policy-spam | Potential spam on the network. |
| pop2 | POP2 rules. |
| pop3 | POP3 rules. |
| protocol-dns | The presence of DNS protocol or vulnerabilities on the network. |
| protocol-finger | The presence of the finger protocol or vulnerabilities on the network. |
| protocol-ftp | The presence of the FTP protocol or vulnerabilities on the network. |
| protocol-icmp | The presence of ICMP traffic or vulnerabilities on the network. |
| protocol-imap | The presence of the IMAP protocol or vulnerabilities on the network. |
| protocol-nntp | The presence of the NNTP protocol or vulnerabilities on the network. |
| protocol-other | Potential vulnerabilties in protocols, that do not fit into one of the other “protocol” rule files. |
| protocol-pop | The presence of the POP protocol or vulnerabilities on the network. |
| protocol-rpc | The presence of the RPC protocol or vulnerabilities on the network. |
| protocol-scada | The presence of SCADA protocols or vulnerabilities on the network. |
| protocol-services | The presence of the rservices protocol or vulnerabilities on the network. |
| protocol-snmp | The presence of the SNMP protocol or vulnerabilities on the network. |
| protocol-telnet | The presence of the telnet protocol or vulnerabilities on the network. |
| protocol-tftp | The presence of the TFTP protocol or vulnerabilities on the network. |
| protocol-voip | The presence of VOIP services or vulnerabilities on the network. |
| pua-adware | Potentially Unwanted Applications (pau) that deal with adware or spyware. |
| pua-other | Potentially Unwanted Applications (pau) that do not fit into one of the “pau” categories. |
| pua-p2p | Potentially Unwanted Applications (pau) that deal with p2p. |
| pua-toolbars | Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc) |
| rpc | RPC (Remote Procedure Call). |
| rservices | MS SQL Server R Services. |
| scada | Scada. |
| scan | Network scanners, including port scanning, IP mapping, and various application scanners. |
| server-apache | Apache Web Server. |
| server-iis | Microsoft IIS Web server. |
| server-mail | Mail servers. (Exchange, Courier). |
| These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself. | |
| server-mssql | Microsoft SQL Server. |
| server-mysql | Oracle MySQL server. |
| server-oracle | Oracle DB Server. |
| server-other | Vulnerabilities or attacks against servers that are not detailed in other “server” categories. |
| server-samba | Samba Servers. |
| server-webapp | Web based applications on servers. |
| shellcode | Attempt is made to execute shellcode. |
| smtp | SMTP. |
| snmp | SNMP. |
| specific-threats | |
| spyware-put | Spyware. |
| sql | SQL injection or other vulnerabilities against SQL like servers. |
| telnet | Various telnet exploits and unpassword protected accounts. |
| tftp | DEPRECIATED RULES. TFTP. |
| virus | Virus. |
| voip | VOIP. |
| web-activex | ActiveX. |
| web-attacks | Web form variable vulnerabilities. |
| web-cgi | CGI (Common Gateway Interface) which web servers use to execute external programs. |
| web-client | Bad things coming from users, and attacks against web users. |
| web-coldfusion | Coldfusion web application services. |
| web-frontpage | Frontpage web authoring services. |
| web-iis | Microsoft Internet Information Server (IIS) web servers. |
| web-misc | Generic web attacks. |
| web-php | Attacks against web servers running PHP applications (primarily runs on Apache, but it is possible to run on IIS). |
| x11 | X11 usage or other vulnerabilities against X11 like servers. |
References
ids/rule_categories/snort_rule_set_categories.1627125425.txt.gz · Last modified: 2021/07/24 11:17 by peter