Threat Signature Categories
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
-
- Apply Tags to an Application Filter
- Create Custom Application Tags
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Configure URL Filtering
- Test URL Filtering Configuration
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Threat Signature Categories
There are three types of Palo Alto Networks threat signatures,
each designed to detect different types of threats as the firewall
scans network traffic:
- Antivirus signatures—Detect viruses and malware found in executables and file types.
- Anti-spyware signatures—Detects command-and-control (C2) activity, where spyware on an infected client is collecting data without the user's consent and/or communicating with a remote attacker.
- Vulnerability signatures—Detects system flaws that an attacker might otherwise attempt to exploit.
A signature's severity indicates the risk of the detected event,
and a signature's default action (for example, block or alert) is
how Palo Alto Networks recommends that you enforce matching traffic.
You must Set
Up Antivirus, Anti-Spyware, and Vulnerability Protection to
tell the firewall what action to take when it detects a threat,
and you can easily use the default security profiles to start blocking
threats based on Palo Alto Networks recommendations. For each signature
type, category, and even specific signatures you can continue to
modify or create new profiles to more granularly enforce potential
threats.
The following table lists all possible signature categories by
type—Antivirus, Spyware, and Vulnerability—and includes the content
update (Applications and Threats, Antivirus, or WildFire) that provides
the signatures in each category. You can also go to the Palo Alto
Networks Threat Vault to Learn More About Threat Signatures.
Threat Category | Content Update that Provides These Signatures | Description |
---|---|---|
Antivirus Signatures | ||
apk | Antivirus WildFire or WildFire Private | Malicious Android Application (APK) files. |
dmg | Antivirus WildFire or WildFire Private | Malicious Apple disk image (DMG) files,
that are used with Mac OS X. |
flash | Antivirus Wildfire or WildFire Private | Adobe Flash applets and Flash content embedded in
web pages. |
java-class | Antivirus | Java applets (JAR/class file types). |
macho | Antivirus Wildfire or WildFire Private | Mach object files (Mach-O) are executables, libraries,
and object code that are native to Mac OS X. |
office | Antivirus Wildfire or WildFire Private | Microsoft Office files, including documents
(DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations
(PPT, PPTX). |
openoffice | Antivirus Wildfire or WildFire Private | Office Open XML (OOXML) 2007+ documents. |
pdf | Antivirus Wildfire or WildFire Private | Portable Document Format (PDF) files. |
pe | Antivirus Wildfire or WildFire Private | Portable executable (PE) files can automatically execute
on a Microsoft Windows system and should be only allowed when authorized.
These files types include:
|
pkg | Antivirus Wildfire or WildFire Private | Apple software installer packages (PKGs),
used with Mac OS X. |
Spyware Signatures | ||
adware | Applications and Threats | Detects programs that display potentially
unwanted advertisements. Some adware modifies browsers to highlight
and hyperlink the most frequently searched keywords on web pages-these
links redirect users to advertising websites. Adware can also retrieve
updates from a command-and-control (C2) server and install those
updates in a browser or onto a client system. Newly-released
protections in this category are rare. |
autogen | Antivirus | These payload-based signatures detect command-and-control
(C2) traffic and are automatically-generated. Importantly, autogen signatures
can detect C2 traffic even when the C2 host is unknown or changes
rapidly. |
backdoor | Applications and Threats | Detects a program that allows an attacker
to gain unauthorized remote access to a system. |
botnet | Applications and Threats | Indicates botnet activity. A botnet
is a network of malware-infected computers (“bots”) that
an attacker controls. The attacker can centrally command every computer
in a botnet to simultaneously carry out a coordinated action (like
launching a DoS attack, for example). |
browser-hijack | Applications and Threats | Detects a plugin or software that is modifying browser
settings. A browser hijacker might take over auto search or track
users’ web activity and send this information to a C2 server. Newly-released
protections in this category are rare. |
cryptominer | Applications and Threats | (Sometimes known as cryptojacking or miners) Detects
the download attempt or network traffic generated from malicious
programs designed to use computing resources to mine cryptocurrencies
without the user's knowledge. Cryptominer binaries are frequently
delivered by a shell script downloader that attempts to determine
system architecture and kill other miner processes on the system.
Some miners execute within other processes, such as a web browser
rendering a malicious web page. |
data-theft | Applications and Threats | Detects a system sending information to
a known C2 server. Newly-released protections in this category
are rare. |
dns | Antivirus | Detects DNS requests to connect to malicious domains. dns
and dns-wildfire signatures detect the same malicious domains; however,
dns signatures are included in the daily Antivirus content update
and dns-wildfire signatures are included in the WildFire updates
that release protections every 5 minutes. |
dns-security | Antivirus | Detects DNS requests to connect to malicious domains. dns-security
includes signatures from dns and dns-wildfire in addition to the
unique signatures generated by the DNS Security service. |
dns-wildfire | Wildfire or WildFire Private | Detects DNS requests to connect to malicious domains. dns
and dns-wildfire signatures detect the same malicious domains; however,
dns signatures are included in the daily Antivirus content update
and dns-wildfire signatures are included in the WildFire updates
that release protections every 5 minutes. |
downloader | Applications and Threats | (Also known as droppers, stagers, or loaders) Detects
programs that use an internet connection to connect to a remote
server to download and execute malware on the compromised system.
The most common use case is for a downloader to be deployed as the culmination
of stage one of a cyber attack, where the downloader’s fetched
payload execution is considered second stage. Shell scripts
(Bash, PowerShell, etc.), trojans, and malicious lure documents (also
known as maldocs) such as PDFs and Word files are common downloader
types. |
fraud | Applications and Threats | (Including form-jacking, phishing, and scams) Detects
access to compromised websites that have been determined to be injected
with malicious JavaScript code to collect sensitive user information.
(for example, Name, address, email, credit card number, CVV, expiration
date) from payment forms that are captured on the checkout pages
of e-commerce websites. |
hacktool | Applications and Threats | Detects traffic generated by software tools
that are used by malicious actors to conduct reconnaissance, attack
or gain access to vulnerable systems, exfiltrate data, or create
a command and control channel to surreptitiously control a computer
system without authorization. These programs are strongly associated with
malware and cyber attacks. Hacking tools might be deployed in a
benign manner when used in Red and Blue Team operations, penetration
tests, and R&D. The use or possession of these tools may be
illegal in some countries, regardless of intent. |
keylogger | Applications and Threats | Detects programs that allow attackers to
secretly track user activity, by logging keystrokes and capturing screenshots. Keyloggers
use various C2 methods to periodically sends logs and reports to
a predefined e-mail address or a C2 server. Through keylogger surveillance,
an attacker could retrieve credentials that would enable network access. |
networm | Applications and Threats | Detects a program that self-replicates and
spreads from system to system. Net-worms might use shared resources
or leverage security failures to access target systems. |
phishing-kit | Applications and Threats | Detects when a user attempts to connect
to a phishing kit landing page (likely after receiving an email with
a link to the malicious site). A phishing website tricks users into
submitting credentials that an attacker can steal to gain access
to the network. In addition to blocking
access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to
prevent phishing attacks at all stages. |
post-exploitation | Applications and Threats | Detects activity that indicates the post-exploitation phase
of an attack, where an attacker attempts to assess the value of
a compromised system. This might include evaluating the sensitivity
of the data stored on the system, and the system’s usefulness in
further compromising the network. |
webshell | Applications and Threats | Detects web shells and web shell traffic,
including implant detection and command and control interaction. Web
shells must first be implanted by a malicious actor onto the compromised
host, most often targeting a web server or framework. Subsequent
communication with the web shell file frequently enables a malicious
actor to establish a foothold in the system, conduct service and network
enumeration, data exfiltration, and remote code execution in the
context of the web server user. The most common web shell types
are PHP, .NET, and Perl markup scripts. Attackers can also use web
shell-infected web servers (the web servers can be both internet-facing
or internal systems) to target other internal systems. |
spyware | Applications and Threats | Detect outbound C2 communication. These signatures
are either auto-generated or are manually created by Palo Alto Networks
researchers. Spyware and autogen signatures
both detect outbound C2 communication; however, autogen signatures
are payload-based and can uniquely detect C2 communications with
C2 hosts that are unknown or change rapidly. |
Vulnerability Signatures | ||
brute force | Applications and Threats | A brute-force signature detects multiple occurrences
of a condition in a particular time frame. While the activity in
isolation might be benign, the brute-force signature indicates that
the frequency and rate at which the activity occurred is suspect.
For example, a single FTP login failure does not indicate malicious
activity. However, many failed FTP logins in a short period likely
indicate an attacker attempting password combinations to access
an FTP server. You can tune the action and trigger conditions for
brute force signatures. |
code execution | Applications and Threats | Detects a code execution vulnerability that
an attacker can leverage to run code on a system with the privileges
of the logged-in user. |
code-obfuscation | Applications and Threats | Detects code that has been transformed to
conceal certain data while retaining its function. Obfuscated code is
difficult or impossible to read, so it’s not apparent what commands
the code is executing or with which programs its designed to interact.
Most commonly, malicious actors obfuscate code to conceal malware.
More rarely, legitimate developers might obfuscate code to protect privacy,
intellectual property, or to improve user experience. For example,
certain types of obfuscation (like minification) reduce file size,
which decreases website load times and bandwidth usage. |
dos | Applications and Threats | Detects a denial-of-service (DoS) attack,
where an attacker attempts to render a targeted system unavailable,
temporarily disrupting the system and dependent applications and
services. To perform a DoS attack, an attacker might flood a targeted
system with traffic or send information that causes it to fail.
DoS attacks deprive legitimate users (like employees, members, and
account holders) of the service or resource to which they expect
access. |
exploit-kit | Applications and Threats | Detects an exploit kit landing page. Exploit
kit landing pages often contain several exploits that target one
or many common vulnerabilities and exposures (CVEs), for multiple
browsers and plugins. Because the targeted CVEs change quickly,
exploit-kit signatures trigger based on the exploit kit landing
page, and not the CVEs. When a user visits a website with
an exploit kit, the exploit kit scans for the targeted CVEs and
attempts to silently deliver a malicious payload to the victim’s computer. |
info-leak | Applications and Threats | Detects a software vulnerability that an
attacker could exploit to steal sensitive or proprietary information. Often,
an info-leak might exist because comprehensive checks do not exist
to guard the data, and attackers can exploit info-leaks by sending
crafted requests. |
insecure-credentials | Applications and Threats | Detects the use of weak, compromised, and manufacturer
default passwords for software, network appliances, and IoT devices. |
overflow | Applications and Threats | Detects an overflow vulnerability, where
a lack of proper checks on requests could be exploited by an attacker.
A successful attack could lead to remote code execution with the
privileges of the application, server or operating system. |
phishing | Applications and Threats | Detects when a user attempts to connect
to a phishing kit landing page (likely after receiving an email with
a link to the malicious site). A phishing website tricks users into
submitting credentials that an attacker can steal to gain access
to the network. In addition to blocking
access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to
prevent phishing attacks at all stages. |
protocol-anomaly | Applications and Threats | Detects protocol anomalies, where a protocol behavior
deviates from standard and compliant usage. For example, a malformed
packet, poorly-written application, or an application running on
a non-standard port would all be considered protocol anomalies,
and could be used as evasion tools. It is a best practice to block
protocol anomalies of any severity. |
sql-injection | Applications and Threats | Detects a common hacking technique where
an attacker inserts SQL queries into an application’s requests,
in order to read from or modify a database. This type of technique
is often used on websites that do not comprehensively sanitize user
input. |