ET 提供最新和最准确的威胁情报。我们进行了充分验证,并与安全工具实现了无缝集成,以增强当网络遭受威胁时系统能够及时做出自动决策。
了解已知的威胁已经不足以保护您的人员、数据和品牌。ET 有助于预防攻击和降低风险,帮助您了解这些威胁的历史背景,来自何处,背后是谁,何时受到攻击,使用了什么方法,以及他们的目的。按需访问 ip、域和其他相关威胁情报和历史数据,以帮助研究威胁和调查事件。
ET 除了声誉情报,你还可以了解谴责证据、深层背景、历史和检测信息,是一个易于使用的网络威胁智能系统,包括:
- 看到网络威胁的时间戳以及所属相关类别和发展趋势
- 威胁的类型和可以使用的工具包
- 攻击的相关样本数据
规则类别概述
每个主要类别的规则都是针对常规组织的。我们不推荐仅仅根据类别名称设置规则。最好在了解整个规则集后完成设置并定期检查。
下面是相关每个类别的基本概述,以帮助您找到需要的规则内容:
Attack-Response Rules
These are designed to catch the results of a successful attack. Things like "id=root", or error messages that indicate a compromise may have happened. Note: Trojan and virus post-infection activity is included generally in the VIRUS rule set, not here.
These are auto generated from several sources of known and confirmed active Botnet and other Command and Control hosts. Updated daily, primary data source is Shadowserver.org.
Compromised Rules
This is a list of known compromised hosts, confirmed and updated daily as well. This set varied from a hundred to several hunderd rules depending on the data sources. This is a compilation of several private but highly reliable data sources. Warming: Snort does not handle IP matches well load-wise. If your sensor is already pushed to the limits this set will add significant load. We recommend staying with just the BotCC rules in a high load case.
Current_Events Rules
These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID's of newly found vulnerable apps where we don't have any detail on the exploit, etc. Useful sigs, but not for the long term.
DOS Rules
Intended to catch inbound DOS activity, and outbound indications. Relatively self-explanatory.
DROP Rules
This is a daily updated list of the Spamhaus DROP (Don't Route or Peer) list. Primarily known professional spammers. More info at http://www.spamhaus.org
DShield Rules
Daily updated list of the DShield top attackers list. Also very reliable. More indo at http://www.dshield.org
Exploit Rules
Rules to detect direct exploits. Generally if you're looking for a windows exploit, Veritas, etc, they'll be here. Things like SQL injection and the like, whie they are exploits, have their own category.
Game Rules
World of Warcraft, Starcraft, and other popular online games have sigs here. We don't intend to label these things evil, just that they're not appropriate for all environments.
Inappropriate Rules
Porn, Kiddy porn, sites you shouldn't visit at work, etc. Warning: These are generally quite Regex heavy and thus high load and frequent false positives. Only run these if you're really interested.
Malware Rules
My personal favorite. This set was originally intended to be just spyware. That's enough to several rule categories really. The line between spyware and outright malicious bad stuff has blurred to much since we originally started this set. There is more than just spyware in here, but rest assured nothing in here is something you want running on your net or PC. There are URL hooks for known update schemed, User-Agent strings of known malware, and a load of other goodies. If you can only run one ruleset to jsutify your IDS infrastructure, this is it!
P2P Rules
Peer to Peer stuff. Bittorrent, Gnutella, Limewire, you name it. We're not labeling these things Bad(tm), just not appropriate for all networks and environments.
Policy Rules
Rules for things that are often disallowed by company or organizational policy. Myspace, Ebay, that kind of thing.
Scan Rules
Things to detect reconnaissance and probing. Nessus, Nikto, port scanning, etc. Early warning stuff.
VOIP Rules
A new and emerging rule set. Small at the moment, but we expect it to grow soon.
Web Rules
Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you're running web servers, and pretty reasonable load.
Web-SQL-Injection Rules
This is a large ruleset that intends to catch specific attacks on specific applications. There are some general SQL injection rules that work pretty well to catch most of what's covered here. But these rules are much more specific to apps and web servers. Run this if you run a highly critical web farm, or are interested in having exact information about incoming web attacks.
Malware Docs
.png)
