Suspicious Activity

The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.

The following table describes the low-level event categories and associated severity levels for the suspicious activity category.

Table 1. Low-level categories and severity levels for the suspicious activity events category
Low-level event category	Category ID	Description	Severity level (0 - 10)
Unknown Suspicious Event	7001	Indicates an unknown suspicious event.	3
Suspicious Pattern Detected	7002	Indicates that a suspicious pattern was detected.	3
Content Modified By Firewall	7003	Indicates that content was modified by the firewall.	3
Invalid Command or Data	7004	Indicates an invalid command or data.	3
Suspicious Packet	7005	Indicates a suspicious packet.	3
Suspicious Activity	7006	Indicates suspicious activity.	3
Suspicious File Name	7007	Indicates a suspicious file name.	3
Suspicious Port Activity	7008	Indicates suspicious port activity.	3
Suspicious Routing	7009	Indicates suspicious routing.	3
Potential Web Vulnerability	7010	Indicates potential web vulnerability.	3
Unknown Evasion Event	7011	Indicates an unknown evasion event.	5
IP Spoof	7012	Indicates an IP spoof.	5
IP Fragmentation	7013	Indicates IP fragmentation.	3
Overlapping IP Fragments	7014	Indicates overlapping IP fragments.	5
IDS Evasion	7015	Indicates an IDS evasion.	5
DNS Protocol Anomaly	7016	Indicates a DNS protocol anomaly.	3
FTP Protocol Anomaly	7017	Indicates an FTP protocol anomaly.	3
Mail Protocol Anomaly	7018	Indicates a mail protocol anomaly.	3
Routing Protocol Anomaly	7019	Indicates a routing protocol anomaly.	3
Web Protocol Anomaly	7020	Indicates a web protocol anomaly.	3
SQL Protocol Anomaly	7021	Indicates an SQL protocol anomaly.	3
Executable Code Detected	7022	Indicates that an executable code was detected.	5
Misc Suspicious Event	7023	Indicates a miscellaneous suspicious event.	3
Information Leak	7024	Indicates an information leak.	1
Potential Mail Vulnerability	7025	Indicates a potential vulnerability in the mail server.	4
Potential Version Vulnerability	7026	Indicates a potential vulnerability in the IBM® QRadar® version.	4
Potential FTP Vulnerability	7027	Indicates a potential FTP vulnerability.	4
Potential SSH Vulnerability	7028	Indicates a potential SSH vulnerability.	4
Potential DNS Vulnerability	7029	Indicates a potential vulnerability in the DNS server.	4
Potential SMB Vulnerability	7030	Indicates a potential SMB (Samba) vulnerability.	4
Potential Database Vulnerability	7031	Indicates a potential vulnerability in the database.	4
IP Protocol Anomaly	7032	Indicates a potential IP protocol anomaly	3
Suspicious IP Address	7033	Indicates that a suspicious IP address was detected.	2
Invalid IP Protocol Usage	7034	Indicates an invalid IP protocol.	2
Invalid Protocol	7035	Indicates an invalid protocol.	4
Suspicious Window Events	7036	Indicates a suspicious event with a screen on your desktop.	2
Suspicious ICMP Activity	7037	Indicates suspicious ICMP activity.	2
Potential NFS Vulnerability	7038	Indicates a potential network file system (NFS) vulnerability.	4
Potential NNTP Vulnerability	7039	Indicates a potential Network News Transfer Protocol (NNTP) vulnerability.	4
Potential RPC Vulnerability	7040	Indicates a potential RPC vulnerability.	4
Potential Telnet Vulnerability	7041	Indicates a potential Telnet vulnerability on your system.	4
Potential SNMP Vulnerability	7042	Indicates a potential SNMP vulnerability.	4
Illegal TCP Flag Combination	7043	Indicates that an invalid TCP flag combination was detected.	5
Suspicious TCP Flag Combination	7044	Indicates that a potentially invalid TCP flag combination was detected.	4
Illegal ICMP Protocol Usage	7045	Indicates that an invalid use of the ICMP protocol was detected.	5
Suspicious ICMP Protocol Usage	7046	Indicates that a potentially invalid use of the ICMP protocol was detected.	4
Illegal ICMP Type	7047	Indicates that an invalid ICMP type was detected.	5
Illegal ICMP Code	7048	Indicates that an invalid ICMP code was detected.	5
Suspicious ICMP Type	7049	Indicates that a potentially invalid ICMP type was detected.	4
Suspicious ICMP Code	7050	Indicates that a potentially invalid ICMP code was detected.	4
TCP port 0	7051	Indicates a TCP packet uses a reserved port (0) for source or destination.	4
UDP port 0	7052	Indicates a UDP packet uses a reserved port (0) for source or destination.	4
Hostile IP	7053	Indicates the use of a known hostile IP address.	4
Watch list IP	7054	Indicates the use of an IP address from a watch list of IP addresses.	4
Known offender IP	7055	Indicates the use of an IP address of a known offender.	4
RFC 1918 (private) IP	7056	Indicates the use of an IP address from a private IP address range.	4
Potential VoIP Vulnerability	7057	Indicates a potential VoIP vulnerability.	4
Blacklist Address	7058	Indicates that an IP address is on the block list.	8
Watchlist Address	7059	Indicates that the IP address is on the list of IP addresses being monitored.	7
Darknet Address	7060	Indicates that the IP address is part of a darknet.	5
Botnet Address	7061	Indicates that the address is part of a botnet.	7
Suspicious Address	7062	Indicates that the IP address must be monitored.	5
Bad Content	7063	Indicates that bad content was detected.	7
Invalid Cert	7064	Indicates that an invalid certificate was detected.	7
User Activity	7065	Indicates that user activity was detected.	7
Suspicious Protocol Usage	7066	Indicates that suspicious protocol usage was detected.	5
Suspicious BGP Activity	7067	Indicates that suspicious Border Gateway Protocol (BGP) usage was detected.	5
Route Poisoning	7068	Indicates that route corruption was detected.	5
ARP Poisoning	7069	Indicates that ARP-cache poisoning was detected.	5
Rogue Device Detected	7070	Indicates that a rogue device was detected.	5
Government Agency Address	7071	Indicates that a government agency address was detected.	3