IDPS Signatures

Enabled

Signature on/off indicator.

Id

The ID of a signature group.

Name

The name of the signature.

Description

Signature description.

Threat level

Threat level defined by the signature. The following values are defined:

• 1: very low

• 2: low

• 3: medium

• 4: high

• 5: very high

Class type

The signature class determines the attack type that is detected using this signature. In addition, it determines the general events that are not related o the attack but can be relevant in certain cases; e.g., detecting the establishment of a TCP session. The class list (can be extended):

• arbitrary-code-execution: attempt to run arbitrary code

• attempted-admin: attempt to obtain administrative privileges

• attempted-dos: attempt to launch a Denial-of-Service (DoS) attack

• attempted-recon: attempt to launch an attack aimed at leaking data

• attempted-user: attempt to obtain user privileges

• bad-unknown: potentially unwanted traffic

• buffer overflow: attempt to launch a buffer-overflow attack

• command-and-control: attempt to communicate with a C&C center

• default-login-attempt: attempt to log in with the default username/password

• denial-of-service: Denial-of-Service attack detected

• exploit-kit: exploit kit detected

• information disclosure: data leak

• memory corruption: attempt to launch a memory corruption attack

• misc-activity: other activity

• misc-attack: attack detected

• network-scan: network scanning

• path traversal: attempt to launch an attack that works by traversing file paths on the server where the application is running

• policy-violation: network policy violation

• protocol-command-decode: unusual protocol command detected

• shellcode-detect: shell code detected

• string-detect: suspicious string detected

• successful-recon-limited: information leak

• suspicious-login: attempt to log in using a suspicious username

• system-call-detect: attempt to invoke system calls

• targeted-activity: targeted activity detected

• trojan-activity: network Trojan detected

• uncaught exception: exception not handled by the application.

Category

A signature category is a group of signatures that have common parameters. The list of categories (can be extended):

• adware pup: unwanted adware

• attack_response: signatures that specify responses to known network attacks

• bruteforce: brute-force attack

• coinminer: downloading, installation, and runtime activity of known miners

• dns: known DNS vulnerabilities

• dos: known signatures of denial-of-service (DoS) attacks

• exploit: signatures of known exploits

• ftp: known FTP vulnerabilities

• icmp: known ICMP protocol vulnerabilities

• imap: known IMAP vulnerabilities

• info: potential data leaks

• ldap: known LDAP vulnerabilities

• malware: downloading, installation, and runtime activity of known malware

• misc: other known signatures

• netbios: known NetBIOS protocol vulnerabilities

• p2p: peer-to-peer traffic detected

• phishing: signatures of known phishing attacks

• policy: cybersecurity policy violation

• pop3: known POP3 protocol vulnerabilities

• rpc: known RPC protocol vulnerabilities

• scada: known SCADA protocol vulnerabilities

• scan: signatures of attempts to scan the network for known applications

• shellcode: signatures specifying known attempts at launching shells

• sip: known SIP protocol vulnerabilities

• smb: known SMB protocol vulnerabilities

• smtp: known SMTP protocol vulnerabilities

• snmp: known SNMP protocol vulnerabilities

• sql: known SQL vulnerabilities

• telnet: known attempts at cracking via the telnet protocol

• tftp: known TFTP protocol vulnerabilities

• user_agents: signatures of suspicious Useragents

• voip: known VoIP protocol vulnerabilities

• web_client: signatures of known attempts at cracking various web clients, such as Adobe Flash Player

• web_server: signatures specifying known attempts at cracking various web servers

• web_specific_apps: signatures specifying known attempts at cracking various web applications

• worm: signatures specifying network activity of known network worms

Signature operating system

The operating system for which this signature is developed.

• Windows

• Linux

• BSD

• Mac OS

• Solaris

• Cisco

• IOS

• Android

• Other

CVE

Vulnerability ID according to the CVE registry.

BDU

Vulnerability ID according to the BDU registry.

URL

Optional link to a resource with the description of the vulnerability.

UASL

Description of the signature's features using the UASL syntax.

General Settings

• Action: the response to signature detection. The following values are defined:

  • None: no action defined

  • Pass: allow the packet

  • Drop: drop the packet

  • Reset: drop the packet and abort the TCP connection (send a TCP reset)

  • Block IP: block the source and/or destination IP address

• Log:

  • Enable: enable event logging

  • Disable: disable event logging

• PCAP file: trace the signature detection and write the results in a PCAP file

  • Enable: enable tracing

  • Disable: disable tracing

• Apply to: what the Reset or Block IP actions should apply to. The available options are:

  • Source: the Reset or Block IP action is applied to the source IP address of the packet

  • Destination: the Reset or Block IP action is applied to the destination IP address of the packet

  • Both: the Reset or Block IP action is applied to both the source and destination IP addresses of the packet

• Duration: the block duration for the Block IP action