Snort mailing list archives
Re: New Proposed Classification.config file setup
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 23 Dec 2010 22:54:13 -0500
On Thu, Dec 23, 2010 at 5:27 PM, Joel Esler <jesler () sourcefire com> wrote:
As mentioned earlier, here's the proposed Classification.config file setup posted and available for download here: http://blog.snort.org/2010/12/new-proposed-classificationconfig-file.html Please take a look, leave comments preferably on the blog, but also here would be fine.
It appears that there's two levels of information here, why not have a class and subclass? For example: classification: exploit-shellcode classification: exploit-sql-injection classification: exploit-browser should maybe be category: exploit; class: shellcode; category: exploit; class: sql-injection; category: exploit; class: browser; Having the different levels of granularity could be useful for things list real-time response mechanisms that act on just the category or whatever. Just thinking out loud here. Furthermore, maybe we should be thinking about really fixing the classification system with static value assignments for categories and classes and mappings between values and human readable strings. I imagine this could make machine processing easier if we had output options that could generate either (more easily) machine readable or human readable data. This would also make the runtime loading more sane, no more classification.config line order-dependent classifications. I mean, if we're going to fix it why not fix it right? Any log management/SIEM people paying attention on-list? This is a chance to make your lives easier if you've got any input! Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- New Proposed Classification.config file setup Joel Esler (Dec 23)
- Re: New Proposed Classification.config file setup Martin Roesch (Dec 23)
- Re: New Proposed Classification.config file setup Joshua.Kinard (Dec 23)
- Re: New Proposed Classification.config file setup Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Holste (Dec 26)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Roesch (Dec 27)
- Re: [Emerging-Sigs] [Snort-devel] New Proposed Classification.config file setup Martin Holste (Dec 27)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Joshua.Kinard (Dec 27)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Holste (Dec 28)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Gregory W. MacPherson (Dec 28)
- Re: New Proposed Classification.config file setup Joshua.Kinard (Dec 23)
- Re: New Proposed Classification.config file setup Martin Roesch (Dec 23)
- <Possible follow-ups>
- Re: New Proposed Classification.config file setup Crusty Saint (Dec 28)