Snort mailing list archives
Re: [Snort-devel] classification changes
From: Chris Green <cmg () uab edu>
Date: 23 May 2001 08:16:17 -0500
[ is there anyone on devel that isn't on users? ] Brian Caswell <bmc () mitre org> writes:
We are going to change the classification for the Snort.org ruleset. Sorry IDWG guys, your classifications. The IDWG classifications are just not viable. I tried. Its really bad.
Yes for right now, a good bit of the priorities aren't worth watching. This is partially due to weird classicfactions like "bad-unknown" and partially tdue to snort not having a to easily differentiate between an attempted- and a successful- To do this, nearly a whole set of rules that operate only on stuff once tagged seems to be to separate the CMD.EXE 200's from the CMD.EXE 404s or whatever.
Attached is the classification.config that will be included with snort 1.8.1 (Well, included into CVS as soon as I can clean up the rules) If you have wishes/requests for default classifications, let me know ASAP. I will start changing rules within the next 2 days.
Atleast keep the same order that was already defined where larger numerical magnitude means higher priority. I don't think url-access/exploit are any different than attempted-user in the large scheme of things. service-probe for like a bind.version attempted-admin for an root exploit attempted-user for an exploit that will give you nobody privledges host-mapping == os identification? That sounds like a specific information
-- Brian Caswell The MITRE Corporation config classification: information,Informational Alert,4 config classification: policy-violation,Policy Violation,3 config classification: port-access,Port Scan,3 config classification: information-leak,Information Leak,3 config classification: misc-suspicious,Suspicious Traffic,2 config classification: port-scan,Port Scan,2 config classification: host-mapping,Host Mapping,2 config classification: attack-responce,Responce from an Attack,2 config classification: attempted-url-access,Attempted URL Access,2 config classification: attempted-url-exploit,Attempted URL Exploit,1 config classification: attempted-admin, Attempted User Privilage Gain,1 config classification: attempted-user, Attempted Administrative Privilage Gain,1
-- Chris Green <cmg () uab edu> A good pun is its own reword. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- classification changes Brian Caswell (May 22)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: Re: [Snort-devel] classification changes Mike Johnson (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: classification changes Max Vision (May 23)
- Re: [Snort-devel] classification changes Joe McAlerney (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)