Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Suspicious Activity

 

The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.

The following table describes the low-level event categories and associated severity levels for the suspicious activity category.

Table 1: Low-level Categories and Severity Levels for the Suspicious Activity Events Category

Low-level event category

Category ID

Description

Severity level (0 - 10)

Unknown Suspicious Event

7001

Indicates an unknown suspicious event.

3

Suspicious Pattern Detected

7002

Indicates that a suspicious pattern was detected.

3

Content Modified By Firewall

7003

Indicates that content was modified by the firewall.

3

Invalid Command or Data

7004

Indicates an invalid command or data.

3

Suspicious Packet

7005

Indicates a suspicious packet.

3

Suspicious Activity

7006

Indicates suspicious activity.

3

Suspicious File Name

7007

Indicates a suspicious file name.

3

Suspicious Port Activity

7008

Indicates suspicious port activity.

3

Suspicious Routing

7009

Indicates suspicious routing.

3

Potential Web Vulnerability

7010

Indicates potential web vulnerability.

3

Unknown Evasion Event

7011

Indicates an unknown evasion event.

5

IP Spoof

7012

Indicates an IP spoof.

5

IP Fragmentation

7013

Indicates IP fragmentation.

3

Overlapping IP Fragments

7014

Indicates overlapping IP fragments.

5

IDS Evasion

7015

Indicates an IDS evasion.

5

DNS Protocol Anomaly

7016

Indicates a DNS protocol anomaly.

3

FTP Protocol Anomaly

7017

Indicates an FTP protocol anomaly.

3

Mail Protocol Anomaly

7018

Indicates a mail protocol anomaly.

3

Routing Protocol Anomaly

7019

Indicates a routing protocol anomaly.

3

Web Protocol Anomaly

7020

Indicates a web protocol anomaly.

3

SQL Protocol Anomaly

7021

Indicates an SQL protocol anomaly.

3

Executable Code Detected

7022

Indicates that an executable code was detected.

5

Misc Suspicious Event

7023

Indicates a miscellaneous suspicious event.

3

Information Leak

7024

Indicates an information leak.

1

Potential Mail Vulnerability

7025

Indicates a potential vulnerability in the mail server.

4

Potential Version Vulnerability

7026

Indicates a potential vulnerability in the JSA version.

4

Potential FTP Vulnerability

7027

Indicates a potential FTP vulnerability.

4

Potential SSH Vulnerability

7028

Indicates a potential SSH vulnerability.

4

Potential DNS Vulnerability

7029

Indicates a potential vulnerability in the DNS server.

4

Potential SMB Vulnerability

7030

Indicates a potential SMB (Samba) vulnerability.

4

Potential Database Vulnerability

7031

Indicates a potential vulnerability in the database.

4

IP Protocol Anomaly

7032

Indicates a potential IP protocol anomaly

3

Suspicious IP Address

7033

Indicates that a suspicious IP address was detected.

2

Invalid IP Protocol Usage

7034

Indicates an invalid IP protocol.

2

Invalid Protocol

7035

Indicates an invalid protocol.

4

Suspicious Window Events

7036

Indicates a suspicious event with a screen on your desktop.

2

Suspicious ICMP Activity

7037

Indicates suspicious ICMP activity.

2

Potential NFS Vulnerability

7038

Indicates a potential network file system (NFS) vulnerability.

4

Potential NNTP Vulnerability

7039

Indicates a potential Network News Transfer Protocol (NNTP) vulnerability.

4

Potential RPC Vulnerability

7040

Indicates a potential RPC vulnerability.

4

Potential Telnet Vulnerability

7041

Indicates a potential Telnet vulnerability on your system.

4

Potential SNMP Vulnerability

7042

Indicates a potential SNMP vulnerability.

4

Illegal TCP Flag Combination

7043

Indicates that an invalid TCP flag combination was detected.

5

Suspicious TCP Flag Combination

7044

Indicates that a potentially invalid TCP flag combination was detected.

4

Illegal ICMP Protocol Usage

7045

Indicates that an invalid use of the ICMP protocol was detected.

5

Suspicious ICMP Protocol Usage

7046

Indicates that a potentially invalid use of the ICMP protocol was detected.

4

Illegal ICMP Type

7047

Indicates that an invalid ICMP type was detected.

5

Illegal ICMP Code

7048

Indicates that an invalid ICMP code was detected.

5

Suspicious ICMP Type

7049

Indicates that a potentially invalid ICMP type was detected.

4

Suspicious ICMP Code

7050

Indicates that a potentially invalid ICMP code was detected.

4

TCP port 0

7051

Indicates a TCP packet uses a reserved port (0) for source or destination.

4

UDP port 0

7052

Indicates a UDP packet uses a reserved port (0) for source or destination.

4

Hostile IP

7053

Indicates the use of a known hostile IP address.

4

Watch list IP

7054

Indicates the use of an IP address from a watch list of IP addresses.

4

Known offender IP

7055

Indicates the use of an IP address of a known offender.

4

RFC 1918 (private) IP

7056

Indicates the use of an IP address from a private IP address range.

4

Potential VoIP Vulnerability

7057

Indicates a potential VoIP vulnerability.

4

Blacklist Address

7058

Indicates that an IP address is on the black list.

8

Watchlist Address

7059

Indicates that the IP address is on the list of IP addresses being monitored.

7

Darknet Address

7060

Indicates that the IP address is part of a darknet.

5

Botnet Address

7061

Indicates that the address is part of a botnet.

7

Suspicious Address

7062

Indicates that the IP address must be monitored.

5

Bad Content

7063

Indicates that bad content was detected.

7

Invalid Cert

7064

Indicates that an invalid certificate was detected.

7

User Activity

7065

Indicates that user activity was detected.

7

Suspicious Protocol Usage

7066

Indicates that suspicious protocol usage was detected.

5

Suspicious BGP Activity

7067

Indicates that suspicious Border Gateway Protocol (BGP) usage was detected.

5

Route Poisoning

7068

Indicates that route corruption was detected.

5

ARP Poisoning

7069

Indicates that ARP-cache poisoning was detected.

5

Rogue Device Detected

7070

Indicates that a rogue device was detected.

5

Government Agency Address

7071

Indicates that a government agency address was detected.

3

Related Documentation