Differences

This shows you the differences between two versions of the page.

--- ids:emerging_threats:emerging_threat_categories [2021/07/20 13:00] – peter
+++ ids:emerging_threats:emerging_threat_categories [2021/07/20 13:45] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IDS - Emerging Threats - Emerging Threat Categories ======
-Protects against attacks and exploits of:
-^Category^Description^Includes^Reference^
-^:::^:::^Non-Malicious^:::^
-^:::^:::^Logging^:::^
-|3CORESec|Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.|https://blacklist.3coresec.net/lists/et-open.txt|
-|ActiveX|Microsoft ActiveX controls.| |
-|Adware-PUP|Ad-tracking and spyware related activity.| |
-|Attack Response|Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.| |
-|Botcc (Bot Command and Control)|Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.|https://www.shadowserver.org|
-|Botcc Portgrouped|Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.| |
-|Chat|Chat clients such as Internet Relay Chat (IRC).| |
-|CIArmy|Generated using Collective Intelligence IP blocking rules.|https://www.cinsscore.com|
-|Coinmining|Malware which performs coin mining.| |
-|Compromised|Known compromised hosts; updated daily from several private but highly reliable data sources.| |
-|:::|**WARNING:**  This category can add significant processing load.  In a high-capacity situation it is recommended to use the Botcc rules instead.| |
-|Current Events|In response to active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.| |
-|:::|The rules in this category are not intended to be kept in in the ruleset for long.| |
-|Deleted|Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.| |
-|DNS|Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.| |
-|DOS|Denial of Service (DoS) attempts.| |
-|Drop|To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.|https://www.spamhaus.org|
-|Dshield|Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.|https://www.dshield.org|
-|Exploit|Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.| |
-|:::|Attacks with their own category such as SQL injection have their own category.| |
-|Exploit-Kit|Activity related to Exploit Kits.| |
-|FTP|Attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP).| |
-|Games|Gaming traffic and attacks against those games.| |
-|:::|Includes many popular online games; while these games and their traffic are not malicious, they are often unwanted and prohibited by policy on corporate networks.| |
-|Hunting|Threat hunting in an environment.| |
-|:::|These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.| |
-|ICMP|Internet Control Message Protocol (ICMP).| |
-|ICMP_info|ICMP protocol specific events, typically associated with normal operations for logging purposes.| |
-|IMAP|Internet Message Access Protocol (IMAP).| |
-|:::|Includes rules that detect non-malicious IMAP activity for logging purposes.| |
-|Inappropriate|Sites that are pornographic or otherwise not appropriate for a work environment.| |
-|:::|**WARNING:**  This category can have a significant performance impact and high rate of false positives.| |
-|Info|Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats| |
-|:::|Example: Downloading an Executable over HTTP by IP address rather than domain name.| |
-|JA3|Fingerprints malicious SSL certificates using JA3 hashes.| |
-|:::|Based on parameters that are in the SSL handshake negotiation by both clients and servers.| |
-|:::|**WARNING:**  These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation.| |
-|**Malware**|Malicious software.| |
-|Misc|Not covered in other categories.| |
-|Mobile Malware|Malware associated with mobile and tablet operating systems.|
-|:::|Malware associated with mobile operating systems will generally be placed in this category rather than the standard categories like Malware.| |
-|NETBIOS|NetBIOS| |
-|:::|Includes rules that detect non-malicious NetBIOS activity for logging purposes.| |
-|P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.|
-|:::|P2P traffic is not inherently malicious but is often of notable for enterprises.|
-|Phishing|Phishing activity.| |
-|Policy|May indicate violations against policies of an organization.| |
-|POP3|Post Office Protocol 3.0 (POP3).| |
-|:::|This category also includes rules that detect non-malicious POP3 activity for logging purposes.|
-----
-===== References =====
-https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf