Suricata 规则classtype和规则文件分类说明

文件名为:classification.config
config classification: not-suspicious,Not Suspicious Traffic,3 #不可疑的流量?
config classification: unknown,Unknown Traffic,3 #未知流量
config classification: bad-unknown,Potentially Bad Traffic, 2 #潜在的危险流量,例如:msg:“ET DNS Query for a Suspicious *.noc.su domain”;
config classification: attempted-recon,Attempted Information Leak,2 #尝试侦查信息 例如:msg:“GPL DNS named version attempt”;
config classification: successful-recon-limited,Information Leak,2 #小范围信息泄露 例如:msg:“ET WEB_SERVER Successful DD-WRT Information Disclosure”
config classification: successful-recon-largescale,Large Scale Information Leak,2 #大规模信息泄露 例如:msg:“ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage”
config classification: attempted-dos,Attempted Denial of Service,2 #尝试dos攻击
config classification: successful-dos,Denial of Service,2 #成功dos攻击
config classification: attempted-user,Attempted User Privilege Gain,1 #尝试获取用户权限
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 #未成功获取用户权限 例如:msg:“GPL MISC Invalid PCAnywhere Login”
config classification: successful-user,Successful User Privilege Gain,1 #成功获取用户权限
config classification: attempted-admin,Attempted Administrator Privilege Gain,1 #尝试获取管理员权限
config classification: successful-admin,Successful Administrator Privilege Gain,1 #成功获取管理员权限

# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2 #RPC解析 例如:msg:“GPL EXPLOIT portmap proxy integer overflow attempt UDP”
config classification: shellcode-detect,Executable code was detected,1 #shellcode检测
config classification: string-detect,A suspicious string was detected,3 #可疑字符串检测
config classification: suspicious-filename-detect,A suspicious filename was detected,2 #可疑文件名检测
config classification: suspicious-login,An attempted login using a suspicious username was detected,2 #登录检测
config classification: system-call-detect,A system call was detected,2 #系统命令检测
config classification: tcp-connection,A TCP connection was detected,4 #TCP链接检测
config classification: trojan-activity,A Network Trojan was detected, 1 #特洛伊病毒检测
config classification: unusual-client-port-connection,A client was using an unusual port,2 #不常使用端口检测
config classification: network-scan,Detection of a Network Scan,3 #地址扫描
config classification: denial-of-service,Detection of a Denial of Service Attack,2 #检测dos攻击
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 #检测使用非标准协议
config classification: protocol-command-decode,Generic Protocol Command Decode,3 #正常协议解析
config classification: web-application-activity,access to a potentially vulnerable web application,2 #访问可能易受攻击的Web应用程序,例如:msg:“GPL EXPLOIT formmail access”
config classification: web-application-attack,Web Application Attack,1 #Web应用程序攻击
config classification: misc-activity,Misc activity,3 #混杂(指各种协议,事件,应用等等)操作,例如:msg:“ET CHAT IRC PING command”;
config classification: misc-attack,Misc Attack,2 #混杂攻击
config classification: icmp-event,Generic ICMP event,3 #ICMP协议事件
config classification: kickass-porn,SCORE! Get the lotion!,1 #色情
config classification: policy-violation,Potential Corporate Privacy Violation,1 #隐私侵犯
config classification: default-login-attempt,Attempt to login by a default username and password,2 #尝试使用默认账户登录

# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1 #已经检测到的有针对性行为
config classification: exploit-kit,Exploit Kit Activity Detected,1 #检测到使用漏洞工具
config classification: external-ip-check,Device Retrieving External IP Address Detected,2 #检测设备检索外部IP
config classification: domain-c2,Domain Observed Used for C2 Detected,1 #检测domain-c2
config classification: pup-activity,Possibly Unwanted Program Detected,2 #检测可能不需要的程序在运行
config classification: credential-theft,Successful Credential Theft Detected,1 #成功检测到盗窃凭证
config classification: social-engineering,Possible Social Engineering Attempted,2 #尝试社区工程连接 例如:msg:“ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 2”
config classification: coin-mining,Crypto Currency Mining Activity Detected,2 #检测挖矿

规则中的各个文件分类,可以查看此链接:Suricata默认规则集的目的与用途

你可能感兴趣的:(安全)