Recon
The Recon category contains events that are related to scanning and other techniques that are used to identify network resources.
The following table describes the low-level event categories and associated severity levels for the Recon category.
Table 1: Low-level Categories and Severity Levels for the Recon Events Category
Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
Unknown Form of Recon | 1001 | An unknown form of reconnaissance. | 2 |
Application Query | 1002 | Reconnaissance to applications on your system. | 3 |
Host Query | 1003 | Reconnaissance to a host in your network. | 3 |
Network Sweep | 1004 | Reconnaissance on your network. | 4 |
Mail Reconnaissance | 1005 | Reconnaissance on your mail system. | 3 |
Windows Reconnaissance | 1006 | Reconnaissance for Windows operating system. | 3 |
Portmap / RPC r\Request | 1007 | Reconnaissance on your portmap or RPC request. | 3 |
Host Port Scan | 1008 | Indicates that a scan occurred on the host ports. | 4 |
RPC Dump | 1009 | Indicates that Remote Procedure Call (RPC) information is removed. | 3 |
DNS Reconnaissance | 1010 | Reconnaissance on the DNS server. | 3 |
Misc Reconnaissance Event | 1011 | Miscellaneous reconnaissance event. | 2 |
Web Reconnaissance | 1012 | Web reconnaissance on your network. | 3 |
Database Reconnaissance | 1013 | Database reconnaissance on your network. | 3 |
ICMP Reconnaissance | 1014 | Reconnaissance on ICMP traffic. | 3 |
UDP Reconnaissance | 1015 | Reconnaissance on UDP traffic. | 3 |
SNMP Reconnaissance | 1016 | Reconnaissance on SNMP traffic. | 3 |
ICMP Host Query | 1017 | Indicates an ICMP host query. | 3 |
UDP Host Query | 1018 | Indicates a UDP host query. | 3 |
NMAP Reconnaissance | 1019 | Indicates NMAP reconnaissance. | 3 |
TCP Reconnaissance | 1020 | Indicates TCP reconnaissance on your network. | 3 |
UNIX Reconnaissance | 1021 | Reconnaissance on your UNIX network. | 3 |
FTP Reconnaissance | 1022 | Indicates FTP reconnaissance. | 3 |