Snort mailing list archives
Re: [Snort-devel] classification changes
From: Chris Green <cmg () uab edu>
Date: 23 May 2001 11:24:26 -0500
Brian Caswell <bmc () mitre org> writes:
I don't think url-access/exploit are any different than attempted-user in the large scheme of things.Actually, I do. One is an exploit. One is just a probe. I'm much more concerned if someone does /scripts/../../../winnt/cmd.exe than if they do /cgi-bin/phf
Thats what I was trying to say. Didn't say it clearly enough
service-probe for like a bind.version attempted-admin for an root exploit attempted-user for an exploit that will give you nobody privledges
phf would be a service-probe, cmd would be an attempted-user I was arguing that url-attempt / url-exploit are the same as a service-probe and an attempted-user-exploit
host-mapping == os identification? That sounds like a specific informationhost-mapping would contain NMAP probes, and things host -> many hosts targetting a single port. Actually, I will be releasing HOMER soon, an alert correlation engine that we at MITRE have developed. (See the SANS paper on Intrusion Detection & Data Mining) This classification is used by those things.
Ah, I would have called host-mapping "network-mapping". -- Chris Green <cmg () uab edu> "Yeah, but you're taking the universe out of context." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- classification changes Brian Caswell (May 22)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: Re: [Snort-devel] classification changes Mike Johnson (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: classification changes Max Vision (May 23)
- Re: [Snort-devel] classification changes Joe McAlerney (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)