Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=IPSCategoryDescriptions

IPS signature categories

app-detect: Identifies and controls traffic for certain applications that generate network activity. This category controls the various aspects of how an application behaves.

browser-chrome: Offers detection and blocking for vulnerabilities that affect the Google Chrome browser.

browser-firefox: Offers detection and blocking for vulnerabilities that affect the Firefox browser. These rules also apply to products that utilize the Gecko browser engine.

browser-ie: Offers detection and blocking for vulnerabilities that affect Microsoft’s IE browser. These rules also apply to products that utilize the Trident or Tasman browser engines.

browser-webkit: Offers detection and blocking for vulnerabilities that affect the WebKit browser engine, including Apple’s Safari browser and WebKit itself. This excludes Google Chrome as it has its own dedicated category.

browser-other: Offers detection and blocking for vulnerabilities that currently impact browsers not listed in the dedicated browser categories such as Microsoft’s Edge browser, and the Opera browser.

browser-plugin: Offers detection and blocking for vulnerabilities in web browsers that support plugins.

exploit-kit: Offers detection and blocking for vulnerabilities tailored for exploit kit activity.

file-executable: Offers detection and blocking for vulnerabilities that impact or are delivered through executable files and are operating system-independent.

file-flash: Offers detection and blocking for vulnerabilities found or delivered through flash files.

file-image: Offers detection and blocking for vulnerabilities found embedded inside image files. File types include jpg, png, gif, bmp, pdf and more.

file-identify: Can be used to identify files based on file extensions. This includes the content in the file or header found in the traffic.

file-java: Offers detection and blocking for vulnerabilities affecting Java files (jar).

file-multimedia: Offers detection and blocking for vulnerabilities found embedded inside multimedia files. File types include mp4, mov, qt and more.

file-office: Offers detection and blocking for vulnerabilities found embedded inside files that are part of the Microsoft Office suite of products and software.

file-pdf: Offers detection and blocking for vulnerabilities found embedded inside pdf files.

file-other: Offers detection and blocking for vulnerabilities found embedded inside files that don't have their own dedicated file category.

indicator-compromise: Offers detection and blocking for positively compromised devices on the network. These rules may trigger false positives.

indicator-obfuscation: Offers detection and blocking for obfuscated content.

indicator-shellcode: Offers detection and blocking for simple identification markers of shellcode in traffic.

malware-backdoor: Offers detection and blocking for traffic destined for known backdoor command channels.

malware-cnc: Offers detection and blocking for known malicious command and control (C&C) activity for known botnet traffic. The actions include calling home, downloading dropped files, and exfiltration of data.

malware-other: Offers detection and blocking for additional malware but don't fit in the dedicated malware categories.

misc: Offers detection and blocking for vulnerabilities found in applications that aren't included in any other IPS category.

netbios: Offers detection and blocking for vulnerabilities that affect the NetBIOS protocol on the network.

os-linux: Offers detection and blocking for vulnerabilities that affect the Linux operating system.

os-solaris: Offers detection and blocking for vulnerabilities that affect the Solaris operating system.

os-windows: Offers detection and blocking for vulnerabilities that affect the Windows operating system.

os-mobile: Offers detection and blocking for vulnerabilities that affect mobile operating systems.

os-other: Offers detection and blocking for vulnerabilities that affect other operating systems not listed in the OS-specific categories.

policy-other: Offers detection and blocking for traffic that may violate the end-user's corporate policies.

protocol-dns: Offers detection and blocking for vulnerabilities that affect the DNS protocol on the network.

protocol-ftp: Offers detection and blocking for vulnerabilities that affect the FTP protocol on the network.

protocol-icmp: Offers detection and blocking for vulnerabilities that affect the ICMP protocol on the network.

protocol-imap: Offers detection and blocking for vulnerabilities that affect the IMAP protocol on the network.

protocol-nntp: Offers detection and blocking for vulnerabilities that affect the NNTP protocol on the network.

protocol-pop: Offers detection and blocking for vulnerabilities that affect the POP protocol on the network.

protocol-rpc: Offers detection and blocking for vulnerabilities that affect the RPC protocol on the network.

protocol-scada: Offers detection and blocking for vulnerabilities that affect the SCADA protocol on the network.

protocol-services: Offers detection and blocking for vulnerabilities that affect all other service protocols on the network.

protocol-snmp: Offers detection and blocking for vulnerabilities that affect the SNMP protocol on the network.

protocol-telnet: Offers detection and blocking for vulnerabilities that affect the telnet protocol on the network.

protocol-tftp: Offers detection and blocking for vulnerabilities that affect the TFTP protocol on the network.

protocol-VOIP: Offers detection and blocking for vulnerabilities that affect the VoIP protocol on the network.

protocol-other: Offers detection and blocking for vulnerabilities in protocols that don't fit into the protocol-specific categories.

pua-other: Offers detection and blocking for vulnerabilities that impact Potentially Unwanted Applications (PUA) that may be in use on the network.

server-apache: Offers detection and blocking for vulnerabilities that affect Apache web servers.

server-iis: Offers detection and blocking for vulnerabilities that affect Microsoft IIS web servers.

server-mssql: Offers detection and blocking for vulnerabilities that affect Microsoft SQL servers.

server-mysql: Offers detection and blocking for vulnerabilities that affect Oracle MySQL servers.

server-oracle: Offers detection and blocking for vulnerabilities that affect Oracle Database servers.

server-samba: Offers detection and blocking for vulnerabilities that affect Samba servers.

server-webapp: Offers detection and blocking for vulnerabilities that affect Web-based applications.

server-mail: Offers detection and blocking for vulnerabilities that affect traffic going to mail servers.

server-other: Offers detection and blocking for vulnerabilities that affect servers not listed in the server-specific categories.

sql: Offers detection and blocking for vulnerabilities and SQL injection attacks that affect servers that run SQL.

scan: Offers detection and blocking for popular vulnerability scanning tools such as NMAP, Nuclei, and more.