Threat Categories

This section lists the various threat categories and their descriptions in a table. This information helps you to understand and troubleshoot issues while monitoring and analyzing threats in your Gateway IDS/IPS dashboard.

Table 1: Threat Categories

Category

Description

Activex

Rules that detect attacks and vulnerabilities related to ActiveX.

Adware-PUP

Rules that are not explicitly malware, but might indicate software that is used for Ad tracking or other types of spyware related activity.

Attack Response

Responses that could indicate an intrusion. These rules are designed to detect the results of a successful attack. For example, error messages that indicate an intrusion.

Botcc (Bot Command and Control)

Rules autogenerated from several sources of known and confirmed active Botnet and other Command and Control hosts. The primary data source is shadowserver.org.

Botcc Portgrouped

Botcc rules that are grouped by destination port. Rules grouped by ports offer higher fidelity.

Chat

Rules to detect traffic related to numerous chat clients, Internet Relay Chat (IRC), and possible check-­in activity.

CIArmy

IP rules generated by Collective Intelligence to block traffic.

Coinmining

Rules to detect activities related to coinmining such as coinmining for Bitcoin. Rules in this category mostly detect malware that perform coinmining.

Compromised

Rules to identify threats from a list of known compromised hosts that are confirmed and updated daily. This is a compilation of several private, but highly reliable data sources.

Current Events

Rules for active and short lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short lived nature of the threat. These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. For example, these rules contain simple signatures for Storm binary URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the day signatures to detect CLSIDs of newly found vulnerable apps.

Decoder events

Rules to log normalization events related to decoding.

Deleted

Rules removed from the ruleset.

DNS

Rules to detect attacks and vulnerabilities related to DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.. This category includes abuse of the service for things such as tunneling.

DOS

Rules to detect Denial of Service (DOS) attempts, intended to detect inbound DOS activities, and outbound indications.

Drop

Rules to block spamhaus DROP (Don't Route or Peer) listed networks. This list is updated daily. For more information, see http://www.spamhaus.org.

Dshield

IP-based rules for Dshield Identified attackers. This list is updated on a daily basis. For more information, see http://www.dshield.org.

Exploit

Rules to detect direct exploits that are not covered in specific service category. For example, Windows exploit and Veritas are categorized as Exploit. While intrusions such as SQL Structured Query Language (SQL) is a programming language used for communication with databases. It performs functions like storing, retrieving, and manipulating data in databases. injection are categorized as Exploits, they have their own category.

Exploit-Kit

Exploit Kit rules are used specifically to detect activity related to Exploit Kits, their infrastructure, and delivery.

FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network.

Rules for attacks, exploits, and vulnerabilities related to FTP. This category includes basic non-malicious FTP activities such as login for logging purposes.

Games

Rules for identifying gaming traffic and attacks against those games.

HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Events

Rules to log HTTP protocol specific events.

Hunting

Rules that may match legitimate traffic or require intensive matching, but is useful for threat hunting because they provide indicators which are useful when matched with other rules.

ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets.

Rules for attacks and vulnerabilities related to ICMP. This category includes rules that detect basic activities of the protocol for logging purposes.

ICMP Info

Rules to log ICMP protocol specific events.

IMAP Internet Message Access Protocol (IMAP) is used to retrieve email messages from an email server. It primarily allows a user to access and operate on email messages stored on an email server from local devices (laptop, smartphone, or tablet). IMAP is the engine by which messages are moved, organized, and handled between the mail server and the client application. Messages are stored and organized into various folders on the mail server. This folder structure is mirrored and synchronized to the client application.

Rules to identify attacks and vulnerabilities related to IMAP protocol. This category includes rules to detect basic activities of the protocol for logging purposes.

Inappropriate

Rules to identify pornography related activities.

JA3 JA3 is a TLS fingerprinting method used in security monitoring to detect and prevent malicious activity. Intrusion detection systems (IDS) monitors the network for any suspicious activity, but cannot analyze encrypted traffic. TLS fingerprinting technique extracts fields from the TLS ClientHello message to generate a fingerprint to recognize a particular client.

Rules that support the mechanism to fingerprint malicious SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. certificates based on parameters that are in the SSL handshake negotiation by both clients JA3 and Servers JA3S. These signatures have a higher propensity for False Positives but are great for Threat Hunting or Malware Detonation Environments.

Malware

Rules for malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating, and anything that can be detected on the wire.

Mobile Malware

Rules specific to mobile platforms. This includes rules for malware and spyware related activities.

Netbios

Rules to identify attacks, exploits, and vulnerabilities related to Netbios. This category includes rules that detect basic activities of the protocol for logging purposes.

P2P

Rules to identify peer‐to­‐peer traffic and attacks. These are not labeled as malicious, but might not be appropriate for all networks and environments.

Phishing

Rules that detect Credential Phishing activity including landing pages exhibiting credential phishing as well as successful submission of credentials into credential phishing sites.

Policy

Rules for applications like DropBox and Google Apps. This category covers off port protocols, basic DLP such as credit card numbers and social security numbers. Rules to block applications that are not allowed based on organizational policy.

POP3 Post Office Protocol version 3 (POP3) is an internet standard protocol used for opening remote e-mail boxes. A message access protocol that enables the client to fetch an e-mail from the remote mail server.

Rules to identify, attacks, and vulnerabilities related to the POP3 protocol. This category includes rules to detect basic activities of the protocol for logging purposes.

RPC Remote Procedure Call (RPC) is a communication technique used for client-server applications. When a client creates a request (procedure, function, or method call) to a remote server, RPC translates it and sends without the remote interaction coding.

Rules to detect attacks, vulnerabilities, and protocol related to RPC. This category includes rules to detect basic activities of the protocol for logging purposes.

SCADA Supervisory Control and Data Acquisition (SCADA) is a type of network that connects devices and equipment. It allows the SCADA server to communicate with all devices, and also the networked devices to communicate with each other. It is used for gathering data in real time from remote locations in order to control equipment and conditions.

Rules for SCADA attacks, exploits, and vulnerabilities, and protocol detection.

SCADA_special

Rules for SCADA preprocessor based on Snort Digital Bond.

SCAN

Rules to detect reconnaissance and probing.

Shellcode

Rules for Remote Shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP Transmission Control Protocol/ Internet Protocol. TCP/IP is the basic communication language or protocol of the Internet. socket connections to allow the attacker access to the shell on the target machine. Such shellcodes can be categorized based on how the connection is set up. If the shellcode can establish the connection, it is called a "reverse shell" or a connect-back shellcode because the shellcode connects back to the attacker's machine.

SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission.

Rules for attacks, exploits, and vulnerabilities related to SMTP. This category includes rules to detect basic activities of the protocol for logging purposes.

SMTP events

Rules that log SMTP operations.

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. 

Attacks, exploits, and vulnerabilities related to SNMP. This category includes rules to detect basic activities of the protocol for logging purposes.

SQL

Attacks, exploits, and vulnerabilities related to SQL. This category includes rules to detect basic activities of the protocol for logging purposes.

Stream events

Rules to identify intrusions through TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. stream engine events.

TELNET Teletype Network (TELNET) is a service that enables a computer to connect to another computer. Computer which starts the connection is the local computer and computer which accepts the connection is the remote computer. Telnet operates on client/server principle. During a telnet operation whatever is being performed on the remote computer is displayed by the local computer.

Rules that detect attacks and vulnerabilities related to the TELNET service. This category includes rules to detect basic activities of the protocol for logging purposes.

TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host.

Rules that detect attacks and vulnerabilities related to the TFTP service. This category includes rules to detect basic activities of the protocol for logging purposes.

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. events

Rules for identifying LS events and anomalies.

TOR

IP-based rules to identify traffic to and from Tor exit nodes.

Trojan

Malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating, and anything that can be detected on the wire.

User Agents

User agent identification and detection.

VOIP

Rules that detect attacks and vulnerabilities related to VOIP environment. For example, intrusion using protocols such as SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. and RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks..

Web Client

Web-client-side attacks and vulnerabilities.

Web Server

Rules that detect attacks and vulnerabilities against web servers.

Web Specific Apps

Rules for specific web applications.

WORM

Traffic indicative of network-based worm activity.