Snort mailing list archives

Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 23 Dec 2010 14:39:10 -0500

On Dec 23, 2010, at 2:36 PM, Victor Julien wrote:

On 12/23/2010 08:25 PM, Joel Esler wrote:

All,

(Apologize in advance for cross-posting)
Have some news to share from our side.  

After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping 
snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.

Just a couple items however:
1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you 
have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
2.  We don't use "_", so we'll translate those over to "-".
3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.

For example: Exploit-SQL_Injection will become exploit-sql-injection

I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the community 
updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog 
(http://vrt-sourcefire.blogspot.com).


Hi Joel, how do you feel about having multiple classifications per
signature? Like sort of using classifications as "tags"?


It's an interesting idea.  I'll bring it up.  Thanks Victor.

Joel


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Victor Julien (Dec 23)
  - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
  - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
    - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
    - Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal Darren Spruell (Dec 24)
- Re: [Emerging-Sigs] New Classification System Proposal Paul Halliday (Dec 23)
  - Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
  - Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
    - Re: [Emerging-Sigs] New Classification System Proposal Randal T. Rioux (Dec 23)