forked from ajest983/Attack-Suricata-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathclassification.config
More file actions
83 lines (72 loc) · 4.69 KB
/
classification.config
File metadata and controls
83 lines (72 loc) · 4.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1
# ========== 高危攻击类 ==========
config classification: C2_trojan-activity,C2木马命令与控制活动,1
config classification: java-deserialization,Java反序列化攻击,1
config classification: unauthorized-access,未授权访问尝试,1
config classification: shiro-rce,Apache Shiro远程代码执行,1
config classification: sql-injection,SQL注入攻击,1
config classification: webshell-activity,Webshell工具活动,1
config classification: rce-attempt,远程代码执行尝试,1
config classification: xxe-attack,XML外部实体注入攻击,1
config classification: Tomcat-CVE,Tomcat漏洞利用,1
# ========== 中高危漏洞类 ==========
config classification: file-upload-attempt,恶意文件上传尝试,2
config classification: file-read-attempt,任意文件读取尝试,2
config classification: tunnel-activity,隧道工具活动,2
config classification: xss-attack,跨站脚本攻击,2
# ========== 探测扫描类 ==========
config classification: vuln-scanner,漏洞扫描活动,3
config classification: dir-scan,目录扫描活动,3
# ========== 数据泄露类 ==========
config classification: dns-exfiltration,DNS数据外带,3
config classification: sensitive-str,敏感字符检测,3
config classification: sensitive-file-access,敏感文件访问,3
# ========== 资源滥用类 ==========
config classification: coin-mining,加密货币挖矿活动,4