ids:rule_categories:snort_rule_set_categories
This is an old revision of the document!
IDS - Rule Categories - Snort Rule Set Categories
NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.
Protects against attacks and exploits of:
| Category | Description | Policy |
|---|---|---|
| app-detect | Applications that generate network activity. | |
| attack-responses | Usually occurs after a machine has been compromised. | |
| backdoor | Backdoor Trojan activity; the target machine may already be compromised. | |
| bad-traffic | Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address. | |
| blacklist | URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity. | |
| botnet-cnc | Botnets. | |
| browser-chrome | Chrome browser vulnerabilities. | |
| This is separate from the browser-webkit category, as Chrome has enough vulnerabilities itself. | ||
| browser-firefox | Firefox browser vulnerabilities. | |
| Includes products that have the Gecko engine. (Thunderbird email client, etc). | ||
| browser-ie | Internet Explorer vulnerabilities. | |
| browser-webkit | Webkit browser engine vulnerabilities. | |
| Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome. | ||
| browser-other | Other browser vulnerabilities not listed above. | |
| browser-plugins | Browser plugin vulnerabilities, such as Active-x. | |
| chat | Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy. | Y |
| content-replace | Any rule that utilizes the replace functionality inside of Snort. | |
| ddos | Distributed denial of service (DDoS). | |
| deleted | Deprecated or super-seeded rules. | |
| dns | DNS, including detection of zone transfers. | |
| dos | Denial of service (DoS), including IGMP and teardrop attacks. | |
| experimental | Experimental rules, mostly where new types of rules are included. May be empty. | |
| exploit | Known generic exploits. An older category which will be deprecated soon. | |
| exploit-kit | Exploit kit activity. | |
| This does not include post-compromise rules (as those would be in indicator-compromise). | ||
| file-executable | Executable file vulnerabilities. | |
| file-flash | Flash file vulnerabilities. Either compressed or uncompressed. | |
| file-image | Images file vulnerabilities. (jpg, png, gif, bmp, etc). | |
| file-identify | Identify files through file extension, the content in the file (file magic), or header found in the traffic. | |
| This information is usually used to then set a flowbit to be used in a different rule. | ||
| file-java | Java file vulnerabilities. (.jar) | |
| file-multimedia | Multimedia file vulnerabilities. (mp3, movies, wmv) | |
| file-office | Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc) | |
| file-pdf | PDF file vulnerabilities. | |
| file-other | File vulnerabilities, that do not fit into the other categories. | |
| finger | Finger service that runs by default on many Unix-based operating systems. | |
| ftp | FTP service. | |
| icmp-info | For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled. | |
| icmp | Pings specific to particular attack tools. | |
| imap | IMAP email service. | |
| indicator-compromise | The detection of a positively compromised system; false positives may occur. | |
| indicator-obfuscation | The detection of obfuscated content. Like encoded JavaScript rules. | |
| indicator-shellcode | Detection of Shellcode. This replaces the old “shellcode.rules”. | |
| indicator-scan | Detection of network scanning. This replaces the old “scan.rules”. | |
| info | For troubleshooting. | |
| local | Local rules you create. | |
| malware-backdoor | Detection of traffic destined to known listening backdoor command channels. | |
| malware-cnc | Identified botnet traffic. | |
| malware-other | Malware related, but do not fit into one of the other malware categories. | |
| malware-tools | Malicious in nature. | |
| misc | Miscellanious rules that do not fit easily into another category. | |
| multimedia | Streaming media. | Y |
| mysql | Unusual and potentially malicious MySQL traffic. | |
| netbios | Administrative share access alerts on SMB and NetBIOS access. | |
| nntp | NNTP (Network time protocol servers). | |
| oracle | Oracle database servers. | |
| os-linux | Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself. | |
| os-solaris | Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS. | |
| os-windows | Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS. | |
| os-mobile | Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS. | |
| os-other | Vulnerabilities in an OS that is not listed above. | |
| other-ids | The use of other IDSs. | |
| p2p | The use of P2P (peer to peer software) protocols. | Y |
| phishing-spam | Phishing spam. | |
| policy | Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login. | Y |
| policy-multimedia | Potential violations of policy for multimedia, such as the use of iTunes on the network. | Y |
| This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia. | ||
| policy-other | May violate the end-users corporate policy but do not fall into any of the other policy categories first. | Y |
| policy-social | Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc). | Y |
| policy-spam | Potential spam on the network. | Y |
| pop2 | POP2 email service. | |
| pop3 | POP3 email service. | |
| porn | Porn. | Y |
| protocol-dns | The presence of DNS protocol or vulnerabilities on the network. | |
| protocol-finger | The presence of the finger protocol or vulnerabilities on the network. | |
| protocol-ftp | The presence of the FTP protocol or vulnerabilities on the network. | |
| protocol-icmp | The presence of ICMP traffic or vulnerabilities on the network. | |
| protocol-imap | The presence of the IMAP protocol or vulnerabilities on the network. | |
| protocol-nntp | The presence of the NNTP protocol or vulnerabilities on the network. | |
| protocol-other | Potential vulnerabilties in protocols, that do not fit into one of the other “protocol” rule files. | |
| protocol-pop | The presence of the POP protocol or vulnerabilities on the network. | |
| protocol-rpc | The presence of the RPC protocol or vulnerabilities on the network. | |
| protocol-scada | The presence of SCADA protocols or vulnerabilities on the network. | |
| protocol-services | The presence of the rservices protocol or vulnerabilities on the network. | |
| protocol-snmp | The presence of the SNMP protocol or vulnerabilities on the network. | |
| protocol-telnet | The presence of the telnet protocol or vulnerabilities on the network. | |
| protocol-tftp | The presence of the TFTP protocol or vulnerabilities on the network. | |
| protocol-voip | The presence of VOIP services or vulnerabilities on the network. | |
| pua-adware | Potentially Unwanted Applications (pau) that deal with adware or spyware. | |
| pua-other | Potentially Unwanted Applications (pau) that do not fit into one of the “pau” categories. | |
| pua-p2p | Potentially Unwanted Applications (pau) that deal with p2p. | |
| pua-toolbars | Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc) | |
| rpc | RPC (Remote Procedure Call). | |
| rservices | The use of rservices commands to control remote systems, including rlogin, rsh, and rexec. | |
| scada | Scada. | |
| scan | Network scanners, including port scanning, IP mapping, and various application scanners. | |
| server-apache | Apache Web Server. | |
| server-iis | Microsoft IIS Web server. | |
| server-mail | Mail servers. (Exchange, Courier). | |
| These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself. | ||
| server-mssql | Microsoft SQL Server. | |
| server-mysql | Oracle MySQL server. | |
| server-oracle | Oracle DB Server. | |
| server-other | Vulnerabilities or attacks against servers that are not detailed in other “server” categories. | |
| server-samba | Samba Servers. | |
| server-webapp | Web based applications on servers. | |
| shellcode | Detects shellcode in the packet payload. | |
| WARNING: Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled. | ||
| smtp | SMTP email service. | |
| snmp | SNMP traffic. SNMP is used to manage devices on a network. | |
| specific-threats | ||
| spyware-put | Spyware. | |
| sql | SQL injection or other vulnerabilities against SQL like servers. | |
| telnet | Telnet exploits and unpassword protected accounts. | |
| tftp | DEPRECIATED RULES. TFTP. | |
| virus | Virus. This rule set is not being actively maintained and the rules really just watch for a variety of file extensions transmitted in email traffic. The real virus signatures are located within the specific service's rule sets now. | |
| voip | VOIP. | |
| web-activex | ActiveX. | |
| web-attacks | Web servers and Web form variable vulnerabilities. | |
| web-cgi | CGI (Common Gateway Interface) which web servers use to execute external programs. | |
| web-client | Bad things coming from users, and attacks against web users. | |
| web-coldfusion | Coldfusion web application services. | |
| web-frontpage | Frontpage web authoring services. | |
| web-iis | Microsoft Internet Information Server (IIS) web servers. | |
| web-misc | Generic web attacks. | |
| web-php | Attacks against web servers running PHP applications. | |
| x11 | X11 usage or other vulnerabilities against X11 like servers. |
References
ids/rule_categories/snort_rule_set_categories.1627127883.txt.gz · Last modified: 2021/07/24 11:58 by peter