This is an old revision of the document!

IDS - Rule Categories - Snort Rule Set Categories

NOTE: Some signatures are not inherently malicious but may be of interest to organizations or for logging purposes.

Policy: Are policy-based rules, so can be not used is not against company policy.
Depreciated: Abandoned and depreciated rules.

Protects against attacks and exploits of:

Category	Description	Policy	Depreciated
app-detect	Applications that generate network activity.
attack-responses	Usually occurs after a machine has been compromised.		Y
backdoor	Backdoor Trojan activity; the target machine may already be compromised.		Y
bad-traffic	Traffic that should never be seen on any network, such as TCP and UDP port 0 traffic, or a SYN packet to a multicast address.		Y
blacklist	URI, USER-AGENT, DNS, and IP address rules that have been determined (Reputation pre-processor) to be indicators of malicious activity.
botnet-cnc	Botnets.
browser-chrome	Chrome browser vulnerabilities.
browser-chrome	This is separate from the browser-webkit category, as Chrome has enough vulnerabilities itself.
browser-firefox	Firefox browser vulnerabilities.
browser-firefox	Includes products that have the Gecko engine. (Thunderbird email client, etc).
browser-ie	Internet Explorer vulnerabilities.
browser-webkit	Webkit browser engine vulnerabilities.
browser-webkit	Includes Apple Safari, RIM mobile browser, Nokia, KDE, Webkit itself, and Palm. Does not include Chrome.
browser-other	Other browser vulnerabilities not listed above.
browser-plugins	Browser plugin vulnerabilities, such as Active-x.
chat	Chat programs, such as AIM, ICQ, and IRC, which may be against corporate policy.	Y
content-replace	Any rule that utilizes the replace functionality inside of Snort.
ddos	Distributed denial of service (DDoS).
deleted	Deprecated or super-seeded rules.
dns	DNS, including detection of zone transfers.
dos	Denial of service (DoS), including IGMP and teardrop attacks.
experimental	Experimental rules, mostly where new types of rules are included. May be empty.
exploit	Known generic exploits. An older category which will be deprecated soon.
exploit-kit	Exploit kit activity.
exploit-kit	This does not include post-compromise rules (as those would be in indicator-compromise).
file-executable	Executable file vulnerabilities.
file-flash	Flash file vulnerabilities. Either compressed or uncompressed.
file-image	Images file vulnerabilities. (jpg, png, gif, bmp, etc).
file-identify	Identify files through file extension, the content in the file (file magic), or header found in the traffic.
file-identify	This information is usually used to then set a flowbit to be used in a different rule.
file-java	Java file vulnerabilities. (.jar)
file-multimedia	Multimedia file vulnerabilities. (mp3, movies, wmv)
file-office	Microsoft Office suite of software vulnerabilities. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc)
file-pdf	PDF file vulnerabilities.
file-other	File vulnerabilities, that do not fit into the other categories.
finger	Finger service that runs by default on many Unix-based operating systems.
ftp	FTP service.
icmp-info	For troubleshooting a specific ICMP problem on the network, but in general it just generates noise and should remain disabled.
icmp	Pings specific to particular attack tools.
imap	IMAP email service.
indicator-compromise	The detection of a positively compromised system; false positives may occur.
indicator-obfuscation	The detection of obfuscated content. Like encoded JavaScript rules.
indicator-shellcode	Detection of Shellcode. This replaces the old “shellcode.rules”.
indicator-scan	Detection of network scanning. This replaces the old “scan.rules”.
info	For troubleshooting.
local	Local rules you create.
malware-backdoor	Detection of traffic destined to known listening backdoor command channels.
malware-cnc	Identified botnet traffic.
malware-other	Malware related, but do not fit into one of the other malware categories.
malware-tools	Malicious in nature.
misc	Miscellanious rules that do not fit easily into another category.
multimedia	Streaming media.	Y
mysql	Unusual and potentially malicious MySQL traffic.
netbios	Administrative share access alerts on SMB and NetBIOS access.
nntp	NNTP (Network time protocol servers).
oracle	Oracle database servers.
os-linux	Vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.
os-solaris	Vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.
os-windows	Vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS.
os-mobile	Vulnerabilites in Mobile based OSes. Not for any browsers or any other software on the top of the OS.
os-other	Vulnerabilities in an OS that is not listed above.
other-ids	The use of other IDSs.
p2p	The use of P2P (peer to peer software) protocols.	Y
phishing-spam	Phishing spam.
policy	Policy rules, including use of PC Anywhere and VNC traffic, or an anonymous FTP login.	Y
policy-multimedia	Potential violations of policy for multimedia, such as the use of iTunes on the network.	Y
policy-multimedia	This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.	Y
policy-other	May violate the end-users corporate policy but do not fall into any of the other policy categories first.	Y
policy-social	Potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc).	Y
policy-spam	Potential spam on the network.	Y
pop2	POP2 email service.
pop3	POP3 email service.
porn	Porn.	Y
protocol-dns	The presence of DNS protocol or vulnerabilities on the network.
protocol-finger	The presence of the finger protocol or vulnerabilities on the network.
protocol-ftp	The presence of the FTP protocol or vulnerabilities on the network.
protocol-icmp	The presence of ICMP traffic or vulnerabilities on the network.
protocol-imap	The presence of the IMAP protocol or vulnerabilities on the network.
protocol-nntp	The presence of the NNTP protocol or vulnerabilities on the network.
protocol-other	Potential vulnerabilties in protocols, that do not fit into one of the other “protocol” rule files.
protocol-pop	The presence of the POP protocol or vulnerabilities on the network.
protocol-rpc	The presence of the RPC protocol or vulnerabilities on the network.
protocol-scada	The presence of SCADA protocols or vulnerabilities on the network.
protocol-services	The presence of the rservices protocol or vulnerabilities on the network.
protocol-snmp	The presence of the SNMP protocol or vulnerabilities on the network.
protocol-telnet	The presence of the telnet protocol or vulnerabilities on the network.
protocol-tftp	The presence of the TFTP protocol or vulnerabilities on the network.
protocol-voip	The presence of VOIP services or vulnerabilities on the network.
pua-adware	Potentially Unwanted Applications (pau) that deal with adware or spyware.
pua-other	Potentially Unwanted Applications (pau) that do not fit into one of the “pau” categories.
pua-p2p	Potentially Unwanted Applications (pau) that deal with p2p.
pua-toolbars	Potentially Unwanted Applications (pau) that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)
rpc	RPC (Remote Procedure Call).
rservices	The use of rservices commands to control remote systems, including rlogin, rsh, and rexec.
scada	Scada.
scan	Network scanners, including port scanning, IP mapping, and various application scanners.
server-apache	Apache Web Server.
server-iis	Microsoft IIS Web server.
server-mail	Mail servers. (Exchange, Courier).
server-mail	These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.
server-mssql	Microsoft SQL Server.
server-mysql	Oracle MySQL server.
server-oracle	Oracle DB Server.
server-other	Vulnerabilities or attacks against servers that are not detailed in other “server” categories.
server-samba	Samba Servers.
server-webapp	Web based applications on servers.
shellcode	Detects shellcode in the packet payload.
shellcode	WARNING: Since these rules are designed the check the payloads of all traffic, they can cause a significant performance hit when enabled.
smtp	SMTP email service.
snmp	SNMP traffic. SNMP is used to manage devices on a network.
specific-threats
spyware-put	Spyware.
sql	SQL injection or other vulnerabilities against SQL like servers.
telnet	Telnet exploits and unpassword protected accounts.
tftp	DEPRECIATED RULES. TFTP.
virus	Virus. This rule set is not being actively maintained and the rules really just watch for a variety of file extensions transmitted in email traffic.
virus	The real virus signatures are located within specific service rules now.
voip	VOIP.
web-activex	ActiveX.
web-attacks	Web servers and Web form variable vulnerabilities.
web-cgi	CGI (Common Gateway Interface) which web servers use to execute external programs.
web-client	Bad things coming from users, and attacks against web users.
web-coldfusion	Coldfusion web application services.
web-frontpage	Frontpage web authoring services.
web-iis	Microsoft Internet Information Server (IIS) web servers.
web-misc	Generic web attacks.
web-php	Attacks against web servers running PHP applications.
x11	X11 usage or other vulnerabilities against X11 like servers.

References

https://www.snort.org/rules_explanation

https://blog.snort.org/2012/03/rule-category-reorganization.html