| Class type | Description | Priority |
| Attempted-admin | Attempted administrator privilege gain | 1 |
| Attempted-user | Attempted user privilege gain | 1 |
| Inappropriate-content | Inappropriate content was detected | 1 |
| Policy-violation | Potential corporate privacy violation | 1 |
| Shellcode-detect | Executable code was detected | 1 |
| Successful-admin | Successful administrator privilege gain | 1 |
| Successful-user | Successful user privilege gain | 1 |
| Trojan-activity | A network trojan was detected | 1 |
| Unsuccessful-user | Unsuccessful user privilege gain | 1 |
| Web-application-attack | Web application attack | 1 |
| Attempted-dos | Attempted denial of service | 2 |
| Attempted-recon | Attempted information leak | 2 |
| Bad-unknown | Potentially bad traffic | 2 |
| Default-login-attempt | Attempt to login by a default username and password | 2 |
| Denial-of-service | Detection of a denial of service attack | 2 |
| Misc-attack | Misc attack | 2 |
| Non-standard-protocol | Detection of a non-standard protocol or event | 2 |
| Rpc-portmap-decode | Decode of an RPC query | 2 |
| Successful-dos | Denial of service | 2 |
| Successful-recon-largescale | Large scale information leak | 2 |
| Successful-recon-limited | Information leak | 2 |
| Suspicious-filename-detect | A suspicious filename was detected | 2 |
| Suspicious-login | An attempted login using a suspicious username was detected | 2 |
| System-call-detect | A system call was detected | 2 |
| Unusual-client-port-connection | A client was using an unusual port | 2 |
| Web-application-activity | Access to a potentially vulnerable web application | 2 |
| Icmp-event | Generic ICMP event | 3 |
| Misc-activity | Misc activity | 3 |
| Network-scan | Detection of a network scan | 3 |
| Not-suspicious | Not suspicious traffic | 3 |
| Protocol-command-decode | Generic protocol command decode | 3 |
| String-detect | A suspicious string was detected | 3 |
| Unknown | Unknown traffic | 3 |
| Tcp-connection | A TCP connection was detected | 4 |