Suspicious Activity
The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.
The following table describes the low-level event categories and associated severity levels for the suspicious activity category.
Low-level event category |
Category ID |
Description |
Severity level (0 - 10) |
---|---|---|---|
Unknown Suspicious Event |
7001 |
Indicates an unknown suspicious event. |
3 |
Suspicious Pattern Detected |
7002 |
Indicates that a suspicious pattern was detected. |
3 |
Content Modified By Firewall |
7003 |
Indicates that content was modified by the firewall. |
3 |
Invalid Command or Data |
7004 |
Indicates an invalid command or data. |
3 |
Suspicious Packet |
7005 |
Indicates a suspicious packet. |
3 |
Suspicious Activity |
7006 |
Indicates suspicious activity. |
3 |
Suspicious File Name |
7007 |
Indicates a suspicious file name. |
3 |
Suspicious Port Activity |
7008 |
Indicates suspicious port activity. |
3 |
Suspicious Routing |
7009 |
Indicates suspicious routing. |
3 |
Potential Web Vulnerability |
7010 |
Indicates potential web vulnerability. |
3 |
Unknown Evasion Event |
7011 |
Indicates an unknown evasion event. |
5 |
IP Spoof |
7012 |
Indicates an IP spoof. |
5 |
IP Fragmentation |
7013 |
Indicates IP fragmentation. |
3 |
Overlapping IP Fragments |
7014 |
Indicates overlapping IP fragments. |
5 |
IDS Evasion |
7015 |
Indicates an IDS evasion. |
5 |
DNS Protocol Anomaly |
7016 |
Indicates a DNS protocol anomaly. |
3 |
FTP Protocol Anomaly |
7017 |
Indicates an FTP protocol anomaly. |
3 |
Mail Protocol Anomaly |
7018 |
Indicates a mail protocol anomaly. |
3 |
Routing Protocol Anomaly |
7019 |
Indicates a routing protocol anomaly. |
3 |
Web Protocol Anomaly |
7020 |
Indicates a web protocol anomaly. |
3 |
SQL Protocol Anomaly |
7021 |
Indicates an SQL protocol anomaly. |
3 |
Executable Code Detected |
7022 |
Indicates that an executable code was detected. |
5 |
Misc Suspicious Event |
7023 |
Indicates a miscellaneous suspicious event. |
3 |
Information Leak |
7024 |
Indicates an information leak. |
1 |
Potential Mail Vulnerability |
7025 |
Indicates a potential vulnerability in the mail server. |
4 |
Potential Version Vulnerability |
7026 |
Indicates a potential vulnerability in the JSA version. |
4 |
Potential FTP Vulnerability |
7027 |
Indicates a potential FTP vulnerability. |
4 |
Potential SSH Vulnerability |
7028 |
Indicates a potential SSH vulnerability. |
4 |
Potential DNS Vulnerability |
7029 |
Indicates a potential vulnerability in the DNS server. |
4 |
Potential SMB Vulnerability |
7030 |
Indicates a potential SMB (Samba) vulnerability. |
4 |
Potential Database Vulnerability |
7031 |
Indicates a potential vulnerability in the database. |
4 |
IP Protocol Anomaly |
7032 |
Indicates a potential IP protocol anomaly |
3 |
Suspicious IP Address |
7033 |
Indicates that a suspicious IP address was detected. |
2 |
Invalid IP Protocol Usage |
7034 |
Indicates an invalid IP protocol. |
2 |
Invalid Protocol |
7035 |
Indicates an invalid protocol. |
4 |
Suspicious Window Events |
7036 |
Indicates a suspicious event with a screen on your desktop. |
2 |
Suspicious ICMP Activity |
7037 |
Indicates suspicious ICMP activity. |
2 |
Potential NFS Vulnerability |
7038 |
Indicates a potential network file system (NFS) vulnerability. |
4 |
Potential NNTP Vulnerability |
7039 |
Indicates a potential Network News Transfer Protocol (NNTP) vulnerability. |
4 |
Potential RPC Vulnerability |
7040 |
Indicates a potential RPC vulnerability. |
4 |
Potential Telnet Vulnerability |
7041 |
Indicates a potential Telnet vulnerability on your system. |
4 |
Potential SNMP Vulnerability |
7042 |
Indicates a potential SNMP vulnerability. |
4 |
Illegal TCP Flag Combination |
7043 |
Indicates that an invalid TCP flag combination was detected. |
5 |
Suspicious TCP Flag Combination |
7044 |
Indicates that a potentially invalid TCP flag combination was detected. |
4 |
Illegal ICMP Protocol Usage |
7045 |
Indicates that an invalid use of the ICMP protocol was detected. |
5 |
Suspicious ICMP Protocol Usage |
7046 |
Indicates that a potentially invalid use of the ICMP protocol was detected. |
4 |
Illegal ICMP Type |
7047 |
Indicates that an invalid ICMP type was detected. |
5 |
Illegal ICMP Code |
7048 |
Indicates that an invalid ICMP code was detected. |
5 |
Suspicious ICMP Type |
7049 |
Indicates that a potentially invalid ICMP type was detected. |
4 |
Suspicious ICMP Code |
7050 |
Indicates that a potentially invalid ICMP code was detected. |
4 |
TCP port 0 |
7051 |
Indicates a TCP packet uses a reserved port (0) for source or destination. |
4 |
UDP port 0 |
7052 |
Indicates a UDP packet uses a reserved port (0) for source or destination. |
4 |
Hostile IP |
7053 |
Indicates the use of a known hostile IP address. |
4 |
Watch list IP |
7054 |
Indicates the use of an IP address from a watch list of IP addresses. |
4 |
Known offender IP |
7055 |
Indicates the use of an IP address of a known offender. |
4 |
RFC 1918 (private) IP |
7056 |
Indicates the use of an IP address from a private IP address range. |
4 |
Potential VoIP Vulnerability |
7057 |
Indicates a potential VoIP vulnerability. |
4 |
Blacklist Address |
7058 |
Indicates that an IP address is on the blocklist. |
8 |
Watchlist Address |
7059 |
Indicates that the IP address is on the list of IP addresses being monitored. |
7 |
Darknet Address |
7060 |
Indicates that the IP address is part of a darknet. |
5 |
Botnet Address |
7061 |
Indicates that the address is part of a botnet. |
7 |
Suspicious Address |
7062 |
Indicates that the IP address must be monitored. |
5 |
Bad Content |
7063 |
Indicates that bad content was detected. |
7 |
Invalid Cert |
7064 |
Indicates that an invalid certificate was detected. |
7 |
User Activity |
7065 |
Indicates that user activity was detected. |
7 |
Suspicious Protocol Usage |
7066 |
Indicates that suspicious protocol usage was detected. |
5 |
Suspicious BGP Activity |
7067 |
Indicates that suspicious Border Gateway Protocol (BGP) usage was detected. |
5 |
Route Poisoning |
7068 |
Indicates that route corruption was detected. |
5 |
ARP Poisoning |
7069 |
Indicates that ARP-cache poisoning was detected. |
5 |
Rogue Device Detected |
7070 |
Indicates that a rogue device was detected. |
5 |
Government Agency Address |
7071 |
Indicates that a government agency address was detected. |
3 |