Databases:
mysql: MySQL-specific traffic
oracle: Oracle-specific traffic
sql: Microsoft SQL Server traffic
Email / News:
imap: Another common email collection protocol
nntp: Scans for attempts to take advantage of known exploits of newsgroup servers
pop2: Antiquated email protocol. Unlikely you'll need this
pop3: Very common email collection protocol
smtp: The most popular method used for sending email
Filesharing:
ftp: Old but still popular. This rule detects suspicious traffic that may be attempting to attack an ftp server behind your firewall
p2p: Detects traffic owned by peer-to-peer programs such as KaZaA, BitTorrent and edonkey
rpc: Information regarding NIS, NFS and other systems that use remote procedure call
Miscellaneous:
attack-responses: Traffic that is typical of already-compromised machines
bad-traffic: Look for traffic that should not be on any network
exploit: Another set of miscellaneous known exploits
misc: Miscellaneous suspicious traffic. Contains rules applicable to instant messaging clients (eg AIM), versioning control software (eg CVS), active directory servers (eg LDAP) amongst others. It is a good idea to enable this set of rules
multimedia: Looks for traffic indicative of people using streaming audio/video, which may be against company policy
other-ids: Looks for traffic indicative of another intrusion detection system
porn: Indicates access to adult-only material
x11: Information regarding UNIX X-server usage
Network administration:
dns: Attempts to access known exploits in DNS (dynamic name resolution) servers
finger: Attempts on the security of the antiquated 'finger' protocol
icmp: Suspicious ICMP traffic (enable if in doubt)
icmp-info: Provides information about 'normal' (ie. non-suspicious) ICMP traffic
snmp: Attempts on known exploits of SNMP servers
tftp: Normal traffic and known exploits of the old TFTP protocol
Network scanning / mapping:
scan: Finds traffic indicative of programs such as synscan, ipEye and nmap
Remote access / shells:
policy: Network traffic that may violate company policy
rservices: Antiquated UNIX shell access. Enable only if you are running rlogin/rsh servers
shellcode: Looks for traffic common among many known exploits (may incur a significant performance hit by enabling this set of rules)
telnet: Antiquated remote shell access.
Viruses / Trojans / Denials-of-Service:
backdoor: Traffic used by common backdoor (trojan) programs
ddos: Distributed Denial-of-service attacks, sometimes associated with 'zombie' computers attacking a server together. Enable if in doubt.
dos: Denial-of-service attacks (enable if in doubt)
virus: Finds email attachments with suspicious file extensions
Websurfing / serving:
web-attacks: Logs attempts made to compromise server security by entering commands into web forms. Enable if you run a webserver
web-cgi: Logs attacks made on web servers via known cgi exploits. Enable if you run a webserver, even without any cgi scripts
web-client: Checks for attacks made on users' web browsers, and for bad things from users. Enable if in doubt
web-coldfusion: Look for attacks on system security made via Macromedia Coldfusion exploits. Only enable if you're using Coldfusion on your server
web-frontpage: Looks for suspicious activity on a server running the MS Frontpage extensions. Only enable if you use these extensions on a webserver
web-iis: Find attempts made on system security through MS IIS webserver exploits
web-misc: Look for suspicious activity and attacks made on web servers. Enable if you run a web server
web-php: Look for attacks made on servers running PHP. Enable if you use PHP on your web server
Windows-specific exploits:
netbios: Traffic related to Windows shares, including malicious traffic. Enable if you share files via Windows built-in filesharing
