Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Threat Categories
This section lists the various threat categories and their descriptions in a table. This information helps you to understand and troubleshoot issues while monitoring and analyzing threats in your
dashboard.Table 1: Threat Categories
Category |
Description |
---|---|
|
Rules that detect attacks and vulnerabilities related to ActiveX. |
Adware-PUP |
Rules that are not explicitly malware, but might indicate software that is used for Ad tracking or other types of spyware related activity. |
Attack Response |
Responses that could indicate an intrusion. These rules are designed to detect the results of a successful attack. For example, error messages that indicate an intrusion. |
Botcc (Bot Command and Control) |
Rules autogenerated from several sources of known and confirmed active Botnet and other Command and Control hosts. The primary data source is shadowserver.org. |
Botcc Portgrouped |
Botcc rules that are grouped by destination port. Rules grouped by ports offer higher fidelity. |
|
Rules to detect traffic related to numerous chat clients, Internet Relay Chat (IRC), and possible check-in activity. |
|
IP rules generated by Collective Intelligence to block traffic. |
Coinmining |
Rules to detect activities related to coinmining such as coinmining for Bitcoin. Rules in this category mostly detect malware that perform coinmining. |
Compromised |
Rules to identify threats from a list of known compromised hosts that are confirmed and updated daily. This is a compilation of several private, but highly reliable data sources. |
Current Events |
Rules for active and short lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short lived nature of the threat. These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. For example, these rules contain simple signatures for Storm binary URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the day signatures to detect CLSIDs of newly found vulnerable apps. |
Decoder events |
Rules to log normalization events related to decoding. |
|
Rules removed from the ruleset. |
|
Rules to detect attacks and vulnerabilities related to DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.. This category includes abuse of the service for things such as tunneling. |
DOS |
Rules to detect Denial of Service (DOS) attempts, intended to detect inbound DOS activities, and outbound indications. |
Drop |
Rules to block spamhaus DROP (Don't Route or Peer) listed networks. This list is updated daily. For more information, see http://www.spamhaus.org. |
Dshield |
IP-based rules for Dshield Identified attackers. This list is updated on a daily basis. For more information, see http://www.dshield.org. |
Exploit |
Rules to detect direct exploits that are not covered in specific service category. For example, Windows exploit and Veritas are categorized as Exploit. While intrusions such as SQL Structured Query Language (SQL) is a programming language used for communication with databases. It performs functions like storing, retrieving, and manipulating data in databases. injection are categorized as Exploits, they have their own category. |
Exploit-Kit |
Exploit Kit rules are used specifically to detect activity related to Exploit Kits, their infrastructure, and delivery. |
Rules for attacks, exploits, and vulnerabilities related to FTP. This category includes basic non-malicious FTP activities such as login for logging purposes. |
|
Games |
Rules for identifying gaming traffic and attacks against those games. |
Rules to log HTTP protocol specific events. |
|
Hunting |
Rules that may match legitimate traffic or require intensive matching, but is useful for threat hunting because they provide indicators which are useful when matched with other rules. |
Rules for attacks and vulnerabilities related to ICMP. This category includes rules that detect basic activities of the protocol for logging purposes. |
|
ICMP Info |
Rules to log ICMP protocol specific events. |
Rules to identify attacks and vulnerabilities related to IMAP protocol. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
Inappropriate |
Rules to identify pornography related activities. |
Rules that support the mechanism to fingerprint malicious SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. certificates based on parameters that are in the SSL handshake negotiation by both clients JA3 and Servers JA3S. These signatures have a higher propensity for False Positives but are great for Threat Hunting or Malware Detonation Environments. |
|
Malware |
Rules for malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating, and anything that can be detected on the wire. |
Mobile Malware |
Rules specific to mobile platforms. This includes rules for malware and spyware related activities. |
Netbios |
Rules to identify attacks, exploits, and vulnerabilities related to Netbios. This category includes rules that detect basic activities of the protocol for logging purposes. |
P2P |
Rules to identify peer‐to‐peer traffic and attacks. These are not labeled as malicious, but might not be appropriate for all networks and environments. |
Phishing |
Rules that detect Credential Phishing activity including landing pages exhibiting credential phishing as well as successful submission of credentials into credential phishing sites. |
Policy |
Rules for applications like DropBox and Google Apps. This category covers off port protocols, basic DLP such as credit card numbers and social security numbers. Rules to block applications that are not allowed based on organizational policy. |
Rules to identify, attacks, and vulnerabilities related to the POP3 protocol. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
Rules to detect attacks, vulnerabilities, and protocol related to RPC. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
Rules for SCADA attacks, exploits, and vulnerabilities, and protocol detection. |
|
SCADA_special |
Rules for SCADA preprocessor based on Snort Digital Bond. |
SCAN |
Rules to detect reconnaissance and probing. |
Shellcode |
Rules for Remote Shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP Transmission Control Protocol/ Internet Protocol. TCP/IP is the basic communication language or protocol of the Internet. socket connections to allow the attacker access to the shell on the target machine. Such shellcodes can be categorized based on how the connection is set up. If the shellcode can establish the connection, it is called a "reverse shell" or a connect-back shellcode because the shellcode connects back to the attacker's machine. |
Rules for attacks, exploits, and vulnerabilities related to SMTP. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
SMTP events |
Rules that log SMTP operations. |
Attacks, exploits, and vulnerabilities related to SNMP. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
SQL |
Attacks, exploits, and vulnerabilities related to SQL. This category includes rules to detect basic activities of the protocol for logging purposes. |
Stream events |
Rules to identify intrusions through TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. stream engine events. |
Rules that detect attacks and vulnerabilities related to the TELNET service. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
Rules that detect attacks and vulnerabilities related to the TFTP service. This category includes rules to detect basic activities of the protocol for logging purposes. |
|
Rules for identifying LS events and anomalies. |
|
TOR |
IP-based rules to identify traffic to and from Tor exit nodes. |
Trojan |
Malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating, and anything that can be detected on the wire. |
User Agents |
User agent identification and detection. |
VOIP |
Rules that detect attacks and vulnerabilities related to VOIP environment. For example, intrusion using protocols such as SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. and RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks.. |
Web Client |
Web-client-side attacks and vulnerabilities. |
Web Server |
Rules that detect attacks and vulnerabilities against web servers. |
Web Specific Apps |
Rules for specific web applications. |
WORM |
Traffic indicative of network-based worm activity. |