The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.
The following table describes the low-level event categories and associated severity levels for the suspicious activity category.
Table 1: Low-level Categories and Severity Levels for the Suspicious Activity Events Category
Low-level event category
Severity level (0 - 10)
Unknown Suspicious Event
Indicates an unknown suspicious event.
Suspicious Pattern Detected
Indicates that a suspicious pattern was detected.
Content Modified By Firewall
Indicates that content was modified by the firewall.
Invalid Command or Data
Indicates an invalid command or data.
Indicates a suspicious packet.
Indicates suspicious activity.
Suspicious File Name
Indicates a suspicious file name.
Suspicious Port Activity
Indicates suspicious port activity.
Indicates suspicious routing.
Potential Web Vulnerability
Indicates potential web vulnerability.
Unknown Evasion Event
Indicates an unknown evasion event.
Indicates an IP spoof.
Indicates IP fragmentation.
Overlapping IP Fragments
Indicates overlapping IP fragments.
Indicates an IDS evasion.
DNS Protocol Anomaly
Indicates a DNS protocol anomaly.
FTP Protocol Anomaly
Indicates an FTP protocol anomaly.
Mail Protocol Anomaly
Indicates a mail protocol anomaly.
Routing Protocol Anomaly
Indicates a routing protocol anomaly.
Web Protocol Anomaly
Indicates a web protocol anomaly.
SQL Protocol Anomaly
Indicates an SQL protocol anomaly.
Executable Code Detected
Indicates that an executable code was detected.
Misc Suspicious Event
Indicates a miscellaneous suspicious event.
Indicates an information leak.
Potential Mail Vulnerability
Indicates a potential vulnerability in the mail server.
Potential Version Vulnerability
Indicates a potential vulnerability in the JSA version.
Potential FTP Vulnerability
Indicates a potential FTP vulnerability.
Potential SSH Vulnerability
Indicates a potential SSH vulnerability.
Potential DNS Vulnerability
Indicates a potential vulnerability in the DNS server.
Potential SMB Vulnerability
Indicates a potential SMB (Samba) vulnerability.
Potential Database Vulnerability
Indicates a potential vulnerability in the database.
IP Protocol Anomaly
Indicates a potential IP protocol anomaly
Suspicious IP Address
Indicates that a suspicious IP address was detected.
Invalid IP Protocol Usage
Indicates an invalid IP protocol.
Indicates an invalid protocol.
Suspicious Window Events
Indicates a suspicious event with a screen on your desktop.
Suspicious ICMP Activity
Indicates suspicious ICMP activity.
Potential NFS Vulnerability
Indicates a potential network file system (NFS) vulnerability.
Potential NNTP Vulnerability
Indicates a potential Network News Transfer Protocol (NNTP) vulnerability.
Potential RPC Vulnerability
Indicates a potential RPC vulnerability.
Potential Telnet Vulnerability
Indicates a potential Telnet vulnerability on your system.
Potential SNMP Vulnerability
Indicates a potential SNMP vulnerability.
Illegal TCP Flag Combination
Indicates that an invalid TCP flag combination was detected.
Suspicious TCP Flag Combination
Indicates that a potentially invalid TCP flag combination was detected.
Illegal ICMP Protocol Usage
Indicates that an invalid use of the ICMP protocol was detected.
Suspicious ICMP Protocol Usage
Indicates that a potentially invalid use of the ICMP protocol was detected.
Illegal ICMP Type
Indicates that an invalid ICMP type was detected.
Illegal ICMP Code
Indicates that an invalid ICMP code was detected.
Suspicious ICMP Type
Indicates that a potentially invalid ICMP type was detected.
Suspicious ICMP Code
Indicates that a potentially invalid ICMP code was detected.
TCP port 0
Indicates a TCP packet uses a reserved port (0) for source or destination.
UDP port 0
Indicates a UDP packet uses a reserved port (0) for source or destination.
Indicates the use of a known hostile IP address.
Watch list IP
Indicates the use of an IP address from a watch list of IP addresses.
Known offender IP
Indicates the use of an IP address of a known offender.
RFC 1918 (private) IP
Indicates the use of an IP address from a private IP address range.
Potential VoIP Vulnerability
Indicates a potential VoIP vulnerability.
Indicates that an IP address is on the black list.
Indicates that the IP address is on the list of IP addresses being monitored.
Indicates that the IP address is part of a darknet.
Indicates that the address is part of a botnet.
Indicates that the IP address must be monitored.
Indicates that bad content was detected.
Indicates that an invalid certificate was detected.
Indicates that user activity was detected.
Suspicious Protocol Usage
Indicates that suspicious protocol usage was detected.
Suspicious BGP Activity
Indicates that suspicious Border Gateway Protocol (BGP) usage was detected.
Indicates that route corruption was detected.
Indicates that ARP-cache poisoning was detected.
Rogue Device Detected
Indicates that a rogue device was detected.
Government Agency Address
Indicates that a government agency address was detected.