ids:emerging_threats:emerging_threat_categories
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| ids:emerging_threats:emerging_threat_categories [2021/07/20 13:21] – peter | ids:emerging_threats:emerging_threat_categories [2021/07/20 13:45] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== IDS - Emerging Threats - Emerging Threat Categories ====== | ||
| - | <WRAP info> | ||
| - | **NOTE: | ||
| - | </ | ||
| - | |||
| - | |||
| - | Protects against attacks and exploits of: | ||
| - | |||
| - | ^Category^Description^Reference^ | ||
| - | |3CORESec|Generated automatically from the 3CORESec team IP block lists; based on malicious activity from their Honeypots.|https:// | ||
| - | |ActiveX|Microsoft ActiveX controls.| | | ||
| - | |Adware-PUP|Ad-tracking and spyware related activity.| | | ||
| - | |Attack Response|Identifies responses indicative of intrusion; such as LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command.| | | ||
| - | |Botcc (Bot Command and Control)|Auto-generated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.|https:// | ||
| - | |Botcc Portgrouped|Similar to the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than those not grouped by port.| | | ||
| - | |Chat|Chat clients such as Internet Relay Chat (IRC).| | | ||
| - | |CIArmy|Generated using Collective Intelligence IP blocking rules.|https:// | ||
| - | |Coinmining|Malware which performs coin mining.| | | ||
| - | |Compromised|Known compromised hosts; updated daily from several private but highly reliable data sources.| | | ||
| - | |::: | ||
| - | |Current Events|Active and short-lived campaigns and high-profile items that are expected to be temporary; such as fraud campaigns related to disasters.| | | ||
| - | |:::|The rules in this category are not intended to be kept in the ruleset for long.| | | ||
| - | |Deleted|Signatures removed from a rule set; often due to being problematic or duplicates or being super-seeded.| | | ||
| - | |DNS|Attacks and vulnerabilities regarding Domain Name Service (DNS) including tunneling.| | | ||
| - | |DOS|Denial of Service (DoS) attempts.| | | ||
| - | |Drop|To block IP addresses on the Spamhaus DROP (Do not Route or Peer) list, which is updated daily.|https:// | ||
| - | |Dshield|Attackers identified by Dshield, updated daily from the DShield top attackers list which is very reliable.|https:// | ||
| - | |Exploit|Direct exploits not otherwise covered in a specific service category; including vulnerabilities against Microsoft Windows.| | | ||
| - | |::: | ||
| - | |Exploit-Kit|Activity related to Exploit Kits.| | | ||
| - | |FTP|Attacks, | ||
| - | |Games|Gaming traffic.| | | ||
| - | |Hunting|Threat hunting in an environment.| | | ||
| - | |::: | ||
| - | |ICMP|Internet Control Message Protocol (ICMP).| | | ||
| - | |ICMP_info|ICMP protocol specific events, typically associated with normal operations for logging purposes.| | | ||
| - | |IMAP|Internet Message Access Protocol (IMAP).| | | ||
| - | |Inappropriate|Sites that are pornographic or otherwise not appropriate for a work environment.| | | ||
| - | |::: | ||
| - | |Info|Helps provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats| | | ||
| - | |::: | ||
| - | |JA3|Fingerprints malicious SSL certificates using JA3 hashes.| | | ||
| - | |::: | ||
| - | |**Malware**|Malicious software.| | | ||
| - | |Misc|Not covered in other categories.| | | ||
| - | |Mobile Malware|Malware associated with mobile and tablet operating systems.| | ||
| - | |::: | ||
| - | |NETBIOS|NetBIOS| | | ||
| - | |P2P|Peer-to-Peer (P2P), including torrents, edonkey, Bittorrent, Gnutella and Limewire among others.| | ||
| - | |Phishing|Phishing activity.| | | ||
| - | |Policy|May indicate violations against policies of an organization.| | | ||
| - | |POP3|Post Office Protocol 3.0 (POP3).| | | ||
| - | |RPC|Remote Procedure Call (RPC).| | ||
| - | |SCADA|Supervisory control and data acquisition (SCADA).| | | ||
| - | |SCADA_special|Signatures written for Snort Digital Bond based SCADA preprocessor.| | | ||
| - | |SCAN|Reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools.| | | ||
| - | |Shellcode|Remote shellcode detection.| | | ||
| - | |SMTP|Simple Mail Transfer Protocol (SMTP).| | | ||
| - | |SNMP|Simple Network Management Protocol (SNMP).| | | ||
| - | |SQL|Structured Query Language (SQL).| | | ||
| - | |TELNET|TELNET.| | | ||
| - | |TFTP|Trivial File Transport Protocol (TFTP).| | | ||
| - | |TOR|Identification of traffic to and from TOR exit nodes based on IP address.| | | ||
| - | |Trojan|A legacy category not used new versions of Suricata. | ||
| - | |User Agents|Suspicious and anomalous user agents.| | | ||
| - | |:::|Known malicious user agents are generally placed in the Malware category.| | | ||
| - | |VOIP|Voice over IP (VOIP) including SIP, H.323 and RTP among others.| | | ||
| - | |Web Client|Web clients such as web browsers as well as client side applications like CURL, WGET and others.| | | ||
| - | |Web Server|Web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software.| | | ||
| - | |Web Specific Apps|Attacks and vulnerabilities in specific web applications.| | | ||
| - | |WORM|Worm-like propagation.| | | ||
| - | |||
| - | |||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== References ===== | ||
| - | |||
| - | https:// | ||
ids/emerging_threats/emerging_threat_categories.1626787313.txt.gz · Last modified: 2021/07/20 13:21 by peter