IPS Rule Categories

Attack-Response
These are designed to catch the results of a successful attack. Things like "id=root", or error messages that indicate a compromise may have happened. (Note: Trojan and virus post-infection activity is not included not here; the Anti-Virus facility should address such activity.)

BotCC
These are autogenerated from several sources of known and confirmed active Botnet and other Command and Control hosts. Updated daily, primary data source is Shadowserver.org

BotCC Ported
Same category as BotCC but rules grouped by destination port.

Chat
These are rules related to numerous chat clients, IRC and possible check-in activity.

Compromised
This is a list of known compromised hosts, confirmed and updated daily as well. This set varied from a hundred to several hundred rules depending on the data sources. This is a compilation of several private but highly reliable data sources. Warning: IPS does not handle IP matches well load-wise. If your firewall is already pushed to the limits this set will add significant load. We recommend staying with just the BotCC rules in a high load case.

Current_Events
These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID's of newly found vulnerable apps where we don't have any detail on the exploit, etc. Useful sigs, but not for the long term.

DNS
Rules for attacks and vulnerabilities regarding DNS. Also category for abuse of the service for things such as tunneling.

DoS
Intended to catch inbound Denial of Service (DoS) activity, and outbound indications. Relatively self-explanatory.

DROP
This is a daily updated list of the Spamhaus DROP (Don't Route or Peer) list. Primarily known professional spammers. More info at: www.spamhouse.org

DShield
Daily updated list of the DShield top attackers list. Also very reliable. More information at www.dshield.org

Exploit
Rules to detect direct exploits. Generally if you're looking for a windows exploit, Veritas, etc, they'll be here. Things like SQL injection and the like, while they are exploits, have their own category.

Game
World of Warcraft, Starcraft, and other popular online games have sigs here. We don't intend to label these things evil, just that they're not appropriate for all environments.

ICMP
Rules for attacks and vulnerabilities regarding ICMP. Also included are rules for detecting basic activity of the protocol for logging purposes.

IMAP
Rules for the identification, as well as attacks and vulnerabilities regarding the IMAP protocol. Also included are fulres detecting basic activity of the protocol for logging purposes.

Malware
This rule set was originally intended to be just spyware. The line between spyware and outright malicious bad stuff has blurred too much since the original rule set was created. There is more than just spyware in this rule set. There are URL hooks for known update schemed, User-Agent strings of known malware, and a load of other goodies. If you can only run one ruleset to justify your IDS infrastructure, this is it!

Misc
Miscellaneous rules for those not covered in other categories.

Mobile Malware
Rules specific to mobile platforms: Malware and spyware related, no clear criminal intent.

Netbios
Rules for the identification, as well as attacks, exploits and vulnerabilities regarding NetBios. Also included are rules detecting basic activity of the protocol for logging purposes

P2P
Peer to Peer stuff. Bittorrent, Gnutella, Limewire, you name it. We're not labeling these things Bad(tm), just not appropriate for all networks and environments.

Policy
Rules for things that are often disallowed by company or organizational policy. Myspace, Ebay, that kind of thing.

POP3
Rules for the identification, as well as attacks and vulnerabilities regarding the POP3 protocol. Also included are rules detecting basic activity of the protocol for logging purposes.

RPC
Rules for RPC related attacks, vulnerabilities, and protocol detection. Included are rules for detecting basic activity of the protocol for logging purposes.

Scan
Things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc. Early warning stuff.

SMTP
Rules for attacks, exploits and vulnerabilities regarding SMTP. Included are rules for detecting basic activity of the protocol for logging purposes.

SNMP
Rules for attacks, exploits, and vulnerabilities regarding SNMP. Included are rules for detecting basic activity of the protocol for logging purposes.

SQL
Rules for attacks, exploits and vulnerabilities regarding SQL. Included are rules for detecting basic activity of the protocol for logging purposes.

TELNET
Rules for attacks, exploits and vulnerabilities regarding TELNET service. Included are rules for detecting basic activity of the protocol for logging purposes.

TFTP
Rules for attacks, exploits and vulnerabilities regarding TFTP service. Included are rules for detecting basic activity of the protocol for logging purposes.

TOR
IP Based rules for the identification of traffic to and from TOR exit nodes.

Trojan
Malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating and whatever else we can detect on the wire. This is also a highly important ruleset to enable if you have to choose.

User Agents
Rules for user agent identification and detection

VOIP
A new and emerging ruleset. Small at the moment, but we expect it to grow soon.

Web Client
Rules for web client side attacks and vulnerabilities.

Web Server
Rules for web servers attacks and vulnerabilities. Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you're running web servers, and pretty reasonable load.

WORM
Rules to detect traffic indicative of network based worm activity