Snort mailing list archives
Re: new classifications (followup)
From: Jim Forster <jforster () rapidnet com>
Date: Wed, 3 Oct 2001 21:26:27 -0600 (MDT)
I alter most of it currently, and I do like the new list. I must say the 'kickass-porn' was a nice addition to the 'warez-kiddie' and 'hates-his-job' classifications I already use. ;) Jim Forster Network Administrator RapidNet, A Golden West Company ------------------------------- On Wed, 3 Oct 2001, Brian wrote:
Since a large number of people e-mailed me privately, I'll respond to the list with our reasonings for the new classifications. 1) IDMEF is going to be a standard. However, according to the last version I read IIRC, the classification scheme is a SUGGESTION not a standard. There is NO standard of classifications. The classifications (other than kickass-porn) comes from an initial round of CIEL (CVE for IDS) classifications that we were kicking around at MITRE. It has some flaws, it needs some work, but for our uses its good enough for now. 2) With our current system, too many attacks get classified as "probe" or "attempted-admin" without a good method of telling the difference between two signatures of the same classification. Because we use classification as a method of deciding default priorities for signatures, our current method requires a huge ammount of work for an IDS admin to prioritize things by what type of attack they are. 3) The classification "kickass-porn" is just a name. The discription does not have to be the default. BUT many people have asked (and dragon has provided) for a method of tracking corperate policy based traffic. Activities like job hunting sites, porn, distributed file sharing all fall into the 'policy' group of signatures. We are slowly going to start providing signatures that look for this type of traffic. Be on the lookout for additional classifications that deal with other signatures like these. Keep in mind, the entire reason I am doing this is to make my life easier. I want to be able to configure my signatures with ease. I want to be able to raise and lower signature priorities by class without a huge effort. FYI, the signature development that I do? Its all about me. I need it. Since I know that I need it, I'm sure other people do as well. Things that bother me, I'm sure it bothers someone else as well. So I share the wealth. If anyone has any suggestions, let us know. Since this benifits all of us, this is something snorters should think about. -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new classifications (followup) Brian (Oct 03)
- Re: new classifications (followup) Jim Forster (Oct 03)