Sr.

Rule Name
1 Anomaly: Devices with High Event Rates
2 Anomaly: DMZ Jumping
3 Anomaly: DMZ Reverse Tunnel
4 Anomaly: Excessive Database Connections
5 Anomaly: Excessive Firewall Accepts Across
Multiple Hosts
6 Anomaly: Excessive Firewall Accepts From
Multiple Sources to a Single Destination
7 Anomaly: Excessive Firewall Denies from Single
Source
8 Anomaly: Long Duration Flow Involving a Remote
Host
9 Anomaly: Long Duration ICMP Flows
10 Anomaly: Outbound Connection to a Foreign
Country
11 Anomaly: Potential Honeypot Access
12 Anomaly: Remote Access from Foreign Country

13 Anomaly: Remote Inbound Communication from

a Foreign Country
14 Anomaly: Single IP with Multiple MAC Addresses

15 Anomaly: Systems using many different protocols

16 Authentication: Login Failures Followed By

Success to the same Destination IP
17 Authentication: Login Failures Followed By
Success to the same Source IP
18 Authentication: Login Failures Followed By
Success to the same Username
19 Authentication: Login Failure to Disabled Account

20 Authentication: Login Failure to Expired Account

21 Authentication: Login Successful After Scan

Attempt
22 Authentication: Multiple Login Failures for Single
Username
23 Authentication: Multiple Login Failures from the
Same Source
24 Authentication: Multiple Login Failures to the
Same Destination
25 Authentication: No Activity for 60 Days
26 Authentication: Possible Shared Accounts
27 Authentication: Repeat Non-Windows Login
Failures
28 Authentication: Repeat Windows Login Failures

29 BB:BehaviorDefinition: Compromise Activities

30 BB:CategoryDefinition: Access Denied
31 BB:CategoryDefinition: Any Flow
32 BB:CategoryDefinition: Application or Service
Installed or Modified
33 BB:CategoryDefinition: Auditing Changed
34 BB:CategoryDefinition: Authentication Failures

35 BB:CategoryDefinition: Authentication Success

36 BB:CategoryDefinition: Authentication to Disabled

Account
37 BB:CategoryDefinition: Authentication to Expired
Account
38 BB:CategoryDefinition: Authentication User or
Group Added or Changed
39 BB:CategoryDefinition: Communication with File
Sharing Sites
40 BB:CategoryDefinition: Communication with Free
Email Sites
41 BB:CategoryDefinition: Database Access Denied

42 BB:DeviceDefinition: Database
43 BB:Database: System Action Allow
44 BB:Database: System Action Deny
45 BB:Database: User Addition or Change
46 BB:FalsePositive: Database Server False Positive
Categories
47 BB:CategoryDefinition: Database Access Permited

48 BB:HostDefinition: Database Servers

49 BB:PortDefinition: Database Ports
50 Database: Attempted Configuration Modification
by a remote host
51 Database: Remote Login Failure
52 Database: Concurrent Logins from Multiple
Locations
53 Database: Failures Followed by User Changes
54 Database: Groups Changed from Remote Host

55 Database: Multiple Database Failures Followed by

Success
56 Database: Remote Login Success
57 Database: User Rights Changed from Remote Host

58 BB:FalsePositive: Database Server False Positive

Events
59 BB:FalsePositive: Device and Specific Event
60 BB:CategoryDefinition: DDoS Attack Events
61 BB:CategoryDefinition: Exploits Backdoors and
Trojans
62 BB:CategoryDefinition: Failure Service or
Hardware
63 BB:CategoryDefinition: Firewall or ACL Accept
64 BB:CategoryDefinition: Firewall or ACL Denies
65 BB:CategoryDefinition: Firewall System Errors
66 BB:CategoryDefinition: High Magnitude Events

67 BB:CategoryDefinition: Inverted Flows

68 BB:CategoryDefinition: IRC Detected Based on
Application
69 BB:CategoryDefinition: IRC Detected Based on
Event Category
70 BB:CategoryDefinition: IRC Detection Based on
Firewall Events
71 BB:CategoryDefinition: Key Loggers
72 BB:CategoryDefinition: Mail Policy Violation
73 BB:CategoryDefinition: Malware Annoyances
74 BB:CategoryDefinition: Network DoS Attack
75 BB:CategoryDefinition: Off Hours
76 BB:CategoryDefinition: Regular Office Hours
77 BB:CategoryDefinition: Policy Events
78 BB:CategoryDefinition: Post DMZ Jump
79 BB:CategoryDefinition: Post Expolit Account
Activity
80 BB:CategoryDefinition: Pre DMZ Jump
81 BB:CategoryDefinition: Pre Reverse DMZ Jump
82 BB:CategoryDefinition: Reverse DMZ Jump
83 BB:CategoryDefinition: Privileged Escalation
Failed
 84 BB:CategoryDefinition: Privileged Escalations
85 BB:CategoryDefinition: Recon Event Categories

86 BB:CategoryDefinition: Recon Events

87 BB:CategoryDefinition: Recon Flows
88 BB:CategoryDefinition: Rogue Access Point
Detected
89 BB:CategoryDefinition: Service DoS
90 BB:CategoryDefinition: Service Started
91 BB:CategoryDefinition: Service Stopped
92 BB:CategoryDefinition: Session Closed
93 BB:CategoryDefinition: Session Opened
94 BB:CategoryDefinition: Successful Communication

95 BB:CategoryDefinition: Superuser Accounts

96 BB:CategoryDefinition: Suspicious Event
Categories
97 BB:CategoryDefinition: Suspicious Events
98 BB:CategoryDefinition: Suspicious Flows
99 BB:CategoryDefinition: System Configuration
100 BB:CategoryDefinition: System Errors and Failures

101 BB:CategoryDefinition: System or Device

Configuration Change
102 BB:CategoryDefinition: Unidirectional Flow
103 BB:CategoryDefinition: Unidirectional Flow DST

104 BB:CategoryDefinition: Unidirectional Flow SRC

105 BB:CategoryDefinition: Upload to Local

WebServer
106 BB:CategoryDefinition: Virus Detected
107 Authentication: Multiple VoIP Login Failures
108 BB:CategoryDefinition: VoIP Authentication
Failure Events
109 BB:CategoryDefinition: VoIP Session Opened
110 Exploit: Potential VoIP Toll Fraud
111 BB:HostDefinition: VoIP PBX Server
112 BB:HostDefinition: VPN Assets
113 BB:DeviceDefinition: VPN
114 BB:CategoryDefinition: VPN Access Accepted
115 BB:CategoryDefinition: VPN Access Denied
116 BB:CategoryDefinition: Windows Compliance
Events
117 BB:CategoryDefinition: Windows SOX Compliance
Events
118 BB:ComplianceDefinition: GLBA Servers
119 BB:ComplianceDefinition: HIPAA Servers
120 BB:ComplianceDefinition: PCI DSS Servers
121 BB:ComplianceDefinition: SOX Servers
122 BB:DeviceDefinition: Access / Authentication /
Audit
123 BB:CategoryDefinition: Worm Events
124 BB:DeviceDefinition: AntiVirus
125 BB:DeviceDefinition: Application
126 BB:DeviceDefinition: Consumer Grade Routers

127 BB:DeviceDefinition: Consumer Grade Wireless

APs
128 BB:DeviceDefinition: Devices to Monitor for High
Event Rates
129 BB:DeviceDefinition: FW / Router / Switch
130 BB:DeviceDefinition: IDS / IPS
131 BB:DoS: Local: Distributed DoS Attack (High
Number of Hosts)
132 BB:DoS: Local: Distributed DoS Attack (Low
Number of Hosts)
133 BB:DoS: Local: Distributed DoS Attack (Medium
Number of Hosts)
134 BB:DoS: Local: Flood Attack (High)
135 BB:DoS: Local: Flood Attack (Low)
136 BB:DoS: Local: Flood Attack (Medium)
137 BB:DoS: Local: Potential ICMP DoS
138 BB:DoS: Local: Potential TCP DoS
139 BB:DoS: Local: Potential UDP DoS
140 BB:DoS: Local: Potential Unresponsive Server or
Distributed DoS
141 BB:DoS: Remote: Distributed DoS Attack (High
Number of Hosts)
142 BB:DoS: Remote: Distributed DoS Attack (Low
Number of Hosts)
143 BB:DoS: Remote: Distributed DoS Attack (Medium
Number of Hosts)
144 BB:DoS: Remote: Flood Attack (High)
145 BB:DoS: Remote: Flood Attack (Low)
146 BB:DoS: Remote: Flood Attack (Medium)
147 BB:DoS: Remote: Potential ICMP DoS
148 BB:DoS: Remote: Potential TCP DoS
149 BB:DoS: Remote: Potential UDP DoS
150 BB:DoS: Remote: Potential Unresponsive Server
or Distributed DoS
151 BB:FalseNegative: Events That Indicate Successful
Compromise
152 BB:FalsePositive: All Default False Positive BBs

153 BB:FalsePositive: Broadcast Address False Positive

Categories
154 BB:FalsePositive: DHCP Server False Positive
Categories
155 BB:FalsePositive: DHCP Server False Positive
Events
156 BB:FalsePositive: DNS Server False Positive
Categories
157 BB:FalsePositive: DNS Server False Positive Events

158 BB:FalsePositive: Firewall Deny False Postive

Events
159 BB:FalsePositive: FTP Server False Positive
Categories
160 BB:FalsePositive: FTP Server False Positive Events

161 BB:FalsePositive: Global False Positive Events

162 BB:FalsePositive: Large Volume Local FW Events

163 BB:FalsePositive: LDAP Server False Positive

Categories
164 BB:FalsePositive: LDAP Server False Positive
Events
165 BB:FalsePositive: Local Source to Local
Destination False Positives
166 BB:FalsePositive: Local Source to Remote
Destination False Positives
167 BB:FalsePositive: Mail Server False Positive
Categories
168 BB:FalsePositive: Mail Server False Positive Events

169 BB:FalsePositive: Network Management Server

Recon
170 BB:FalsePositive: Proxy Server False Positive
Categories
171 BB:FalsePositive: Proxy Server False Positive
Events
172 BB:FalsePositive: Remote Source to Local
Destination False Positives
173 BB:FalsePositive: RPC Server False Positive
Categories
174 BB:FalsePositive: RPC Server False Positive Events

175 BB:FalsePositive: SNMP Sender or Receiver False

Positive Categories
176 BB:FalsePositive: SNMP Sender or Receiver False
Positive Events
177 BB:FalsePositive: Source IP and Specific Event
178 BB:FalsePositive: SSH Server False Positive
Categories
179 BB:FalsePositive: SSH Server False Positive Events

180 BB:FalsePositive: Syslog Sender False Positive

Categories
181 BB:FalsePositive: Syslog Sender False Positive
Events
182 BB:FalsePositive: Virus Definition Update
Categories
183 BB:FalsePositive: Web Server False Positive
Categories
184 BB:FalsePositive: Web Server False Positive
Events
185 BB:FalsePositive: Windows AD Source
Authentication Events
186 BB:FalsePositive: Windows Server False Positive
Categories Local
187 BB:FalsePositive: Windows Server False Positive
Events
188 BB:Flowshape: Balanced
189 BB:Flowshape: Inbound Only
190 BB:Flowshape: Local Balanced
191 BB:Flowshape: Local Unidirectional
192 BB:Flowshape: Mostly Inbound
193 BB:Flowshape: Mostly Outbound
194 BB:Flowshape: Outbound Only
195 BB:HostBased: Critical Events
196 BB:HostDefinition: Consultant Assets
197 BB:HostDefinition: DHCP Servers
198 BB:HostDefinition: DMZ Assets
199 BB:HostDefinition: DNS Servers
200 BB:HostDefinition: FTP Servers
201 BB:HostDefinition: Host with Port Open
202 BB:HostDefinition: LDAP Servers
203 BB:HostDefinition: Local Assets
204 BB:HostDefinition: MailServer Assets
205 BB:HostDefinition: Mail Servers
206 BB:HostDefinition: Network Management Servers

207 BB:HostDefinition: Protected Assets

208 BB:HostDefinition: Proxy Servers
209 BB:HostDefinition: Regulatory Assets
210 BB:HostDefinition: Remote Assets
211 BB:HostDefinition: RPC Servers
212 BB:HostDefinition: Servers
213 BB:HostDefinition: SNMP Sender or Receiver
214 BB:HostDefinition: SSH Servers
215 BB:HostDefinition: Syslog Servers and Senders
216 BB:HostDefinition: VA Scanner Source IP
217 BB:HostDefinition: Virus Definition and Other
Update Servers
218 BB:HostDefinition: Web Servers
219 BB:HostDefinition: Windows Servers
220 BB:NetworkDefinition: Broadcast Address Space

221 BB:NetworkDefinition: Client Networks

222 BB:NetworkDefinition: Darknet Addresses
223 BB:NetworkDefinition: DLP Addresses
224 BB:NetworkDefinition: DMZ Addresses (DST)
225 BB:NetworkDefinition: DMZ Addresses (SRC)
226 BB:NetworkDefinition: DMZ Addresses
227 BB:NetworkDefinition: Honeypot like Addresses

228 BB:NetworkDefinition: Inbound Communication

from Internet to Local Host
229 BB:NetworkDefinition: Multicast Address Space

230 BB:NetworkDefinition: NAT Address Range

231 BB:NetworkDefinition: Server Networks
232 BB:NetworkDefinition: Trusted Network Segment

233 BB:NetworkDefinition: Undefined IP Space

234 BB:NetworkDefinition: Untrusted Local Networks

235 BB:NetworkDefinition: Untrusted Network

Segment
236 BB:NetworkDefinition: Watch List Addresses
237 BB:Policy: Application Policy Violation Events
238 BB:Policy: IRC/IM Connection Violations
239 BB:Policy: Policy P2P
240 BB:Policy Violation: Application Policy Violation:
NNTP to Internet
241 BB:Policy Violation: Application Policy Violation:
Unknown Local Service
242 BB:Policy Violation: Compliance Policy Violation:
Clear Text Application Usage
243 BB:Policy Violation: Compliance Policy Violation:
Clear Text Application Usage
244 BB:Policy Violation: Connection to Social
Networking Web Site
245 BB:Policy Violation: IRC IM Policy Violation: IM
Communications
246 BB:Policy Violation: IRC IM Policy Violation: IM
Communications
247 BB:Policy Violation: IRC IM Policy Violation: IRC
Connection to Internet
248 BB:Policy Violation: Large Outbound Transfer
249 BB:Policy Violation: Mail Policy Violation:
Outbound Mail Sender
250 BB:Policy Violation: Mail Policy Violation: Remote
Connection to Local Mail Server
251 BB:Policy Violation: P2P Policy Violation: Local
P2P Client
252 BB:Policy Violation: P2P Policy Violation: Local
P2P Server
253 BB:Policy Violation: Remote Access Policy
Violation: Remote Access Shell
254 BB:PortDefinition: Authorized L2R Ports
255 BB:PortDefinition: Common Worm Ports
256 BB:PortDefinition: DHCP Ports
257 BB:PortDefinition: DNS Ports
258 BB:PortDefinition: FTP Ports
259 BB:PortDefinition: Game Server Ports
260 BB:PortDefinition: IM Ports
261 BB:PortDefinition: IRC Ports
262 BB:PortDefinition: LDAP Ports
263 BB:PortDefinition: Mail Ports
264 BB:PortDefinition: P2P Ports
265 BB:PortDefinition: Proxy Ports
266 BB:PortDefinition: RPC Ports
267 BB:PortDefinition: SNMP Ports
268 BB:PortDefinition: SSH Ports
269 BB:PortDefinition: Syslog Ports
270 BB:PortDefinition: Web Ports
271 BB:PortDefinition: Windows Ports
272 BB:ProtocolDefinition: Windows Protocols
273 BB:ReconDetected: All Recon Rules
274 BB:ReconDetected: Devices That Merge Recon
into Single Events
275 BB:ReconDetection: Host Port Scan
276 BB:ReconDetection: Port Scan Detected Across
Multiple Hosts
277 BB:Recon: Local: ICMP Scan (High)
278 BB:Recon: Local: ICMP Scan (Low)
279 BB:Recon: Local: ICMP Scan (Medium)
280 BB:Recon: Local: Potential Network Scan
281 BB:Recon: Local: Scanning Activity (High)
282 BB:Recon: Local: Scanning Activity (Low)
283 BB:Recon: Local: Scanning Activity (Medium)
284 BB:Recon: Remote: ICMP Scan (High)
285 BB:Recon: Remote: ICMP Scan (Low)
286 BB:Recon: Remote: ICMP Scan (Medium)
287 BB:Recon: Remote: Potential Network Scan
288 BB:Recon: Remote: Scanning Activity (High)
289 BB:Recon: Remote: Scanning Activity (Low)
290 BB:Recon: Remote: Scanning Activity (Medium)

291 BB:Suspicious: Local: Anomalous ICMP Flows

292 BB:Suspicious: Local: Inbound Unidirectional
Flows Threshold
293 BB:Suspicious: Local: Invalid TCP Flag Usage
294 BB:Suspicious: Local: Outbound Unidirectional
Flows Threshold
295 BB:Suspicious: Local: Port 0 Flows Detected
296 BB:Suspicious: Local: Rejected Communication
Attempts
297 BB:Suspicious: Local: Unidirectional ICMP
Detected
298 BB:Suspicious: Local: Unidirectional ICMP
Responses Detected
299 BB:Suspicious: Local: Unidirectional TCP Flows
300 BB:Suspicious: Local: Unidirectional UDP or Misc
Flows
301 BB:Suspicious: Remote: Anomalous ICMP Flows

302 BB:Suspicious: Remote: Inbound Unidirectional

Flows Threshold
303 BB:Suspicious: Remote: Invalid TCP Flag Usage

304 BB:Suspicious: Remote: Outbound Unidirectional

Flows Threshold
305 BB:Suspicious: Remote: Port 0 Flows Detected
306 BB:Suspicious: Remote: Rejected Communications
Attempts
307 BB:Suspicious: Remote: Unidirectional ICMP
Detected
308 BB:Suspicious: Remote: Unidirectional ICMP
Responses Detected
309 BB:Suspicious: Remote: Unidirectional TCP Flows

310 BB:Suspicious: Remote: Unidirectional UDP or

Misc Flows
311 BB:Threats: DoS: Inbound Flood with No
Response High
312 BB:Threats: DoS: Inbound Flood with No
Response Low
313 BB:Threats: DoS: Inbound Flood with No
Response Medium
314 BB:Threats: DoS: Multi-Host Attack High
315 BB:Threats: DoS: Multi-Host Attack Low
316 BB:Threats: DoS: Multi-Host Attack Medium
317 BB:Threats: DoS: Outbound Flood with No
Response High
318 BB:Threats: DoS: Outbound Flood with No
Response Low
319 BB:Threats: DoS: Outbound Flood with No
Response Medium
320 BB:Threats: DoS: Potential ICMP DoS
321 BB:Threats: DoS: Potential Multihost Attack
322 BB:Threats: DoS: Potential TCP DoS
323 BB:Threats: DoS: Potential UDP DoS
324 BB:Threats: Port Scans: Host Scans
325 BB:Threats: Port Scans: UDP Port Scan
326 BB:Threats: Remote Access Violations: Remote
Desktop Access from Remote Hosts
327 BB:Threats: Remote Access Violations: VNC
Activity from Remote Hosts
328 BB:Threats: Scanning: Empty Responsive Flows
High
329 BB:Threats: Scanning: Empty Responsive Flows
Low
330 BB:Threats: Scanning: Empty Responsive Flows
Medium
331 BB:Threats: Scanning: ICMP Scan High
332 BB:Threats: Scanning: ICMP Scan Low
333 BB:Threats: Scanning: ICMP Scan Medium
334 BB:Threats: Scanning: Potential Scan
335 BB:Threats: Scanning: Scan High
336 BB:Threats: Scanning: Scan Low
337 BB:Threats: Scanning: Scan Medium
338 BB:Threats: Suspicious Activity: Suspicious IRC
Traffic
339 BB:Threats: Suspicious IP Protocol Usage: Illegal
TCP Flag Combination
340 BB:Threats: Suspicious IP Protocol Usage: Large
DNS Packets
341 BB:Threats: Suspicious IP Protocol Usage: Large
ICMP Packets
342 BB:Threats: Suspicious IP Protocol Usage: Long
Duration Outbound Flow
343 BB:Threats: Suspicious IP Protocol Usage:
Suspicious ICMP Type Code
344 BB:Threats: Suspicious IP Protocol Usage: TCP or
UDP Port 0
345 BB:Threats: Suspicious IP Protocol Usage:
Unidirectional ICMP Flows
346 BB:Threats: Suspicious IP Protocol Usage:
Unidirectional ICMP Replys
347 BB:Threats: Suspicious IP Protocol
Usage:Unidirectional TCP Flows
348 BB:Threats: Suspicious IP Protocol
Usage:Unidirectional UDP and Misc Flows
349 BB:Threats: Suspicious IP Protocol Usage: Zero
Payload Bidirectional Flows
350 Botnet: Local host on Botnet CandC List (DST)
351 Botnet: Local host on Botnet CandC List (SRC)
352 Botnet: Potential Botnet Connection (DNS)
353 Botnet: Potential Botnet Events Become Offenses

354 Botnet: Potential Connection to a Known Botnet

CandC
355 Botnet: Successful Inbound Connection from a
Known Botnet CandC
356 Compliance: Auditing Services Changed on
Compliance Host
357 Compliance: Compliance Events Become Offenses

358 Compliance: Configuration Change Made to

Device in Compliance network
359 Compliance: Excessive Failed Logins to
Compliance IS
360 Compliance: Multiple Failed Logins to a
Compliance Asset
361 Compliance: Traffic from DMZ to Internal
Network
362 Compliance: Traffic from Untrusted Network to
Trusted Network
363 DDoS: DDoS Attack Detected
364 DDoS: DDoS Events with High Magnitude Become
Offenses
365 DDoS: Potential DDoS Against Single Host (ICMP)

366 DDoS: Potential DDoS Against Single Host (Other)

367 DDoS: Potential DDoS Against Single Host (TCP)

368 DDoS: Potential DDoS Against Single Host (UDP)

369 Default-Response-E-mail: Offense E-mail Sender

370 Default-Response-Syslog: Offense SYSLOG Sender

371 DoS: DoS Events from Darknet

372 DoS: DoS Events with High Magnitude Become
Offenses
373 DoS: Local Flood (ICMP)
374 DoS: Local Flood (Other)
375 DoS: Local Flood (TCP)
376 DoS: Local Flood (UDP)
377 DoS: Network DoS Attack Detected
378 DoS: Network DoS Attack Detected
379 DoS: Remote Flood (ICMP)
380 DoS: Remote Flood (Other)
381 DoS: Remote Flood (TCP)
382 DoS: Remote Flood (UDP)
383 DoS: Service DoS Attack Detected
384 Exploit: All Exploits Become Offenses
385 Exploit: Attack followed by Attack Response
386 Exploit: Chained Exploit Followed by Suspicious
Events
387 Exploit: Destination Vulnerable to Detected
Exploit on a Different Port
388 Exploit: Destination Vulnerable to Detected
Exploit
389 Exploit: Destination Vulnerable to Detected
Exploit
390 Exploit: Destination Vulnerable to Different
Exploit than Attempted on Targeted Port
391 Exploit: Exploit Followed by Suspicious Host
Activity
392 Exploit: Exploit/Malware Events Across Multiple
Destinations
393 Exploit: Exploit/Malware Events Across Multiple
Destinations
394 Exploit: Exploits Events with High Magnitude
Become Offenses
395 Exploit: Exploits Events with High Magnitude
Become Offenses
396 Exploit: Exploits Followed by Firewall Accepts
397 Exploit: Multiple Exploit Types Against Single
Destination
398 Exploit: Multiple Vector Attack Source
399 Exploit: Recon Followed by Exploit
400 Exploit: Recon Followed by Exploit
401 Exploit: Source Vulnerable to any Exploit
402 Exploit: Source Vulnerable to this Exploit
403 FalsePositive: False Positive Rules and Building
Blocks
404 Magnitude Adjustment: Context is Local to Local

405 Magnitude Adjustment: Context is Local to

Remote
406 Magnitude Adjustment: Context is Remote to
Local
407 Magnitude Adjustment: Destination Asset Exists

408 Magnitude Adjustment: Destination Asset Port is

Open
409 Magnitude Adjustment: Destination Network
Weight is High
410 Magnitude Adjustment: Destination Network
Weight is Low
411 Magnitude Adjustment: Destination Network
Weight is Medium
412 Magnitude Adjustment: Source Address is a
Bogon IP
413 Magnitude Adjustment: Source Address is a
Known Questionable IP
414 Magnitude Adjustment: Source Asset Exists
415 Magnitude Adjustment: Source Network Weight
is High
416 Magnitude Adjustment: Source Network Weight
is Low
417 Magnitude Adjustment: Source Network Weight
is Medium
418 Malware: Communication with a site that has
been involved in previous SQL injection
419 Malware: Communication with a site that is listed
on a know blacklist or uses fast flux
420 Malware: Communication with a web site known
to aid in distribution of malware
421 Malware: Communication with a web site known
to be a phishing or fraud site
422 Malware: Communication with a web site known
to be associated with the Russian business
network
423 Malware: Communication with a web site known
to be delivering code which may be a trojan
424 Malware: Communication with a web site known
to be involved in botnet activity
425 Malware: Local Host Sending Malware
426 Malware: Malware or Virus Clean Failed
427 Malware: Remote: Client Based DNS Activity to
the Internet
428 Malware: Treat Backdoor Trojans and Virus
Events as Offenses
429 Malware: Treat Key Loggers as Offenses
430 Malware: Treat Non-Spyware Malware as
Offenses
431 Malware: Treat Spyware and Virus as Offenses

432 Policy: Connection to a Remote Proxy or

Anonymization Service (Inbound)
433 Policy: Connection to a Remote Proxy or
Anonymization Service (Outbound)
434 Policy: Connection to Internet on Unauthorized
Port
435 Policy: Create Offenses for All Chat Traffic based
on Flows
436 Policy: Create Offenses for All Instant Messenger
Traffic
437 Policy: Create Offenses for All P2P Usage
438 Policy: Create Offenses for All Policy Events
439 Policy: Create Offenses for All Porn Usage
440 Policy: Host has SANS Top 20 Vulnerability
441 Policy: Large Outbound Transfer High Rate of
Transfer
442 Policy: Large Outbound Transfer Slow Rate of
Transfer
443 Policy: Local: Clear Text Application Usage
444 Policy: Local: Clear Text Application Usage
445 Policy: Local: Hidden FTP Server
446 Policy: Local: SSH or Telnet Detected on Non-
Standard Port
447 Policy: New DHCP Server Discovered
448 Policy: New Host Discovered
449 Policy: New Host Discovered in DMZ
450 Policy: New Service Discovered
451 Policy: New Service Discovered in DMZ
452 Policy: Possible Local IRC Server
453 Policy: Remote: Clear Text Application Usage
based on Flows
454 Policy: Remote: Hidden FTP Server
455 Policy: Remote: IM/Chat
456 Policy: Remote: IRC Connections
457 Policy: Remote: Local P2P Client Connected to
more than 100 Servers
458 Policy: Remote: Local P2P Client Detected
459 Policy: Remote: Local P2P Server connected to
more than 100 Clients
460 Policy: Remote: Local P2P Server Detected
461 Policy: Remote: Long Duration Flow Detected
462 Policy: Remote: Possible Tunneling
463 Policy: Remote: Remote Desktop Access from the
Internet
464 Policy: Remote: SMTP Mail Sender
465 Policy: Remote: SSH or Telnet Detected on Non-
Standard Port
466 Policy: Remote: Usenet Usage
467 Policy: Remote: VNC Access from the Internet to a
Local Host
468 Policy: Upload to Local WebServer
469 Recon: Aggressive Local Scanner Detected
470 Recon: Aggressive Remote Scanner Detected
471 Recon: Excessive Firewall Denies from Local Host

472 Recon: Host Port Scan Detected by Remote Host

473 Recon: Increase Magnitude of High Rate Scans

474 Recon: Increase Magnitude of Medium Rate Scans

475 Recon: Local Database Scanner

476 Recon: Local DHCP Scanner
477 Recon: Local DNS Scanner
478 Recon: Local FTP Scanner
479 Recon: Local Game Server Scanner
480 Recon: Local ICMP Scanner
481 Recon: Local IM Server Scanner
482 Recon: Local IRC Server Scanner
483 Recon: Local LDAP Server Scanner
484 Recon: Local Mail Server Scanner
485 Recon: Local P2P Server Scanner
486 Recon: Local Proxy Server Scanner
487 Recon: Local RPC Server Scanner
488 Recon: Local Scanner Detected
489 Recon: Local SNMP Scanner
490 Recon: Local SSH Server Scanner
491 Recon: Local Suspicious Probe Events Detected

492 Recon: Local TCP Scanner

493 Recon: Local UDP Scanner
494 Recon: Local Web Server Scanner
495 Recon: Local Windows Scanner to Internet
496 Recon: Local Windows Server Scanner
497 Recon: Potential Local Port Scan Detected
498 Recon: Potential P2P or VoIP Traffic Detected
499 Recon: Recon Followed by Accept
500 Recon: Remote Database Scanner
501 Recon: Remote DHCP Scanner
502 Recon: Remote DNS Scanner
503 Recon: Remote FTP Scanner
504 Recon: Remote FTP Scanner
505 Recon: Remote Game Server Scanner
506 Recon: Remote ICMP Scanner
507 Recon: Remote IM Server Scanner
508 Recon: Remote IRC Server Scanner
509 Recon: Remote LDAP Server Scanner
510 Recon: Remote LDAP Server Scanner
511 Recon: Remote Mail Server Scanner
512 Recon: Remote P2P Scanner
513 Recon: Remote Proxy Server Scanner
514 Recon: Remote RPC Server Scanner
515 Recon: Remote Scanner Detected
516 Recon: Remote SNMP Scanner
517 Recon: Remote SSH Server Scanner
518 Recon: Remote SSH Server Scanner
519 Recon: Remote Suspicious Probe Events Detected

520 Recon: Remote TCP Scanner

521 Recon: Remote UDP Scanner
522 Recon: Remote Web Server Scanner
523 Recon: Remote Windows Server Scanner
524 Recon: Single Merged Recon Events Local Scanner
525 Recon: Single Merged Recon Events Remote
Scanner
526 SuspiciousActivity: Common Non-Local to Remote
Ports
527 SuspiciousActivity: Communication with Known
Hostile Networks
528 SuspiciousActivity: Communication with Known
Online Services
529 SuspiciousActivity: Communication with Known
Watched Networks
530 SuspiciousActivity: Consumer Grade Equipment

531 System: 100% Accurate Events

532 System: Critical System Events
533 System: Device Stopped Sending Events (Firewall,
IPS, VPN or Switch)
534 System: Device Stopped Sending Events (Firewall,
IPS, VPN or Switch)
535 System: Device Stopped Sending Events
536 System: Flow Source Stopped Sending Flows
537 System: Host Based Failures
538 System: Load Building Blocks
539 System: Multiple System Errors
540 System: Notification
541 System: Service Stopped and not Restarted
542 User:BB:FalsePositives: User Defined Server Type
1 False Positive Categories
543 User:BB:FalsePositives: User Defined Server Type
2 False Positive Events
544 User:BB:FalsePositives: User Defined Server Type
3 False Positive Categories
545 User-BB-FalsePositive: User Defined False
Positives Tunings
546 User:BB:HostDefinition: Server Type 1 - User
Defined
547 User:BB:HostDefinition: Server Type 2 - User
Defined
548 User:BB:HostDefinition: Server Type 3 - User
Defined
549 Vulnerabilities: Vulnerability Reported by Scanner

550 WormDetection: Local Mass Mailing Host

Detected
551 WormDetection: Possible Local Worm Detected

552 WormDetection: Successful Connections to the

Internet on Common Worm Ports
553 WormDetection: Worm Detected (Events)
554 WormDetection: Worm Detected (Events)