Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal

[Darren Spruell <phatbuckett () gmail com>]

+1

I like the additional granularity this will provide although at the
expense of some complexity in rule creation and handling (thinking
SIEMs, etc.).

Nice bipartisan move with the various representative communities too,
well done! (Maybe US Congress could ... never mind).

DS

On Thu, Dec 23, 2010 at 2:02 PM, Matthew Jonkman
<jonkman () emergingthreatspro com> wrote:
> Reminder (sorry to spam)
>
> Go here to see the list, and leave comments, or discuss here on the list.
> http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html
>
> Matt
>
>
> On Dec 23, 2010, at 3:51 PM, Matthew Jonkman wrote:
>
> > Certainly glad to hear that Joel! I think it'll be a good thing for us all to have similar classifications.
> >
> > I'd like to encourage everyone that's interested to put in your suggestions for additions and changes now.
> >
> > How about we call a January 12 2011 end date for suggestions? That gets us through the holidays and a week or more 
> > of everyone back to work before we and it.
> >
> > (plus I'm in no hurry to start reclassifying 14,000 signatures... :) )
> >
> > Matt
> >
> > On Dec 23, 2010, at 2:25 PM, Joel Esler wrote:
> >
> > > All,
> > >
> > > (Apologize in advance for cross-posting)
> > > Have some news to share from our side.
> > >
> > > After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping 
> > > snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.
> > >
> > > Just a couple items however:
> > > 1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you 
> > > have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
> > > 2.  We don't use "_", so we'll translate those over to "-".
> > > 3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.
> > >
> > > For example: Exploit-SQL_Injection will become exploit-sql-injection
> > >
> > > I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the 
> > > community updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog 
> > > (http://vrt-sourcefire.blogspot.com).
> > >
> > > Please feel free to email me with any questions!  Thanks!
> > >
> > > Joel Esler
> > > Manager, OpenSource Community
> > >
> > > On Dec 15, 2010, at 2:42 PM, Matthew Jonkman wrote:
> > >
> > > > Alienvault and Emerging Threats Pro have some very good news to share. Alienvault has been for some time working 
> > > > on and using a much more granular and expressive classification system for Snort and Suricata alerts. Emerging 
> > > > Threats and Emerging Threats Pro intend to adopt this classification system as an option for users, and we want to 
> > > > get your input. There are about 240 categories now, and we want to get everything added or changed that might be 
> > > > necessary while we're adopting the system.
> > > >
> > > > The proposed classification system is available here as well as being at the end of this message:
> > > >
> > > > http://www.emergingthreats.net/new_classifications_v1.txt
> > > >
> > > > We welcome your comment on what to add or change in this classification system. The goal is to make correlation 
> > > > and analysis systems able to make better decisions based on classifications, and potentially even allow blocking 
> > > > decisions to be made by classtype. The current classifications in use are vague and haven't been updated for some 
> > > > time, and many systems are making decisions based on them without much distinction between categories. So we'd 
> > > > like to make that better.
> > > >
> > > > Alienvault has done a lot of work in this area already and they'd like to push that out to the community. We'd 
> > > > like to take a week or two to let everyone look these over and comment, and then we'll get a version agreed upon 
> > > > and begin using that.
> > > >
> > > > For Emerging Threats and Emerging Threats Pro users it'll take us some time to reclassify the rules, but we'll get 
> > > > it done. We will publish two versions of the ruleset, one with the old classifications, and one with the new. The 
> > > > old classifications will be included in the new classifications file so we don't have any issues with backward 
> > > > compatible rules.
> > > >
> > > > We welcome other comments and concerns, but we're very excited about what Alienvault is donating to the community, 
> > > > and we're eager to implement!
> > > >
> > > > Please feel free to comment on the blog (http://blog/emergingthreatspro.com) or here.
> > > >
> > > >
> > > > Exploit-Shellcode
> > > > Exploit-SQL_Injection
> > > > Exploit-Browser
> > > > Exploit-ActiveX
> > > > Exploit-Command_Execution
> > > > Exploit-Cross_Site_Scripting
> > > > Exploit-FTP
> > > > Exploit-File_Inclusion
> > > > Exploit-Windows
> > > > Exploit-Directory_Traversal
> > > > Exploit-Attack_Response
> > > > Exploit-Denial_Of_Service
> > > > Exploit-PDF
> > > > Exploit-Buffer_Overflow
> > > > Exploit-Spoofing
> > > > Exploit-Format_String
> > > > Exploit-Misc
> > > > Exploit-DNS
> > > > Exploit-Mail
> > > > Exploit-Samba
> > > > Exploit-Linux
> > > > Authentication-Bruteforce
> > > > Authentication-Bypass
> > > > Authentication-Login
> > > > Authentication-Failed
> > > > Authentication-Cleartext
> > > > Authentication-Logout
> > > > Authentication-Disclosure
> > > > Authentication-Default_Credentials
> > > > Access-Web_Application_Access
> > > > Access-File_Access
> > > > Access-Misc
> > > > Malware-Spyware
> > > > Malware-Adware
> > > > Malware-Fake_Antivirus
> > > > Malware-KeyLogger
> > > > Malware-Trojan
> > > > Malware-Virus
> > > > Malware-Worm
> > > > Malware-Generic
> > > > Malware-Backdoor
> > > > Policy-Porn
> > > > Policy-P2P
> > > > Policy-Instant_Messaging_Chat
> > > > Policy-Anonymity
> > > > Policy-Games
> > > > Policy-Other
> > > > Denial_Of_Service-Web_Application
> > > > Denial_Of_Service-Application
> > > > Denial_Of_Service-Flood
> > > > Denial_Of_Service-DDoS
> > > > Suspicious-Blacklist_Address
> > > > Suspicious-Web_Attack_or_Scan
> > > > Suspicious-Bad_Traffic
> > > > Suspicious-Network_Activity
> > > > Suspicious-Scada_Activity
> > > > Suspicious-DNS_Activity
> > > > Suspicious-SSH_Activity
> > > > Suspicious-NFS_Activity
> > > > Suspicious-Database_Activity
> > > > Suspicious-Netbios_Activity
> > > > Suspicious-RPC_Activity
> > > > Suspicious-Mail_Activity
> > > > Network-TFTP_Activity
> > > > Network-FTP_Activity
> > > > Network-SNMP_Activity
> > > > Network-SMTP_Activity
> > > > Network-Telnet_Activity
> > > > Recon-Misc
> > > > Recon-Scanner
> > > > Info-Misc
> > > > Network-NTP_Activity
> > > > Network-SIP_Activity
> > > > Network-DHCP_Activity
> > > > Access-Firewall_Permit
> > > > Access-Firewall_Deny
> > > > Access-ACL_Permit
> > > > Access-ACL_Deny
> > > > Authentication-Policy_Added
> > > > Authentication-Policy_Changed
> > > > Authentication-Policy_Deleted
> > > > Authentication-FTP_Login_Succeeded
> > > > Authentication-FTP_Login_Failed
> > > > Authentication-Password_Change_Failed
> > > > Authentication-Password_Change_Succeeded
> > > > Authentication-User_Created
> > > > Authentication-User_Deleted
> > > > Authentication-User_Changed
> > > > Authentication-Admin_Access
> > > > Authentication-Group_Added
> > > > Authentication-Group_Deleted
> > > > Authentication-Group_Changed
> > > > Authentication-Auth_Required
> > > > Authentication-Account_Lockout
> > > > Authentication-Account_Unlocked
> > > > Malware-Virus_Detected
> > > > Antivirus-Virus_Detected
> > > > Antivirus-Virus_Quarantine
> > > > Antivirus-Virus_Quarantine_Failed
> > > > System-Configuration_Error
> > > > Antivirus-Definitions_Updated
> > > > Antivirus-Definitions_Updated_Failed
> > > > Antivirus-Unknown_Event
> > > > Antivirus-Started
> > > > Antivirus-Disabled
> > > > Antivirus-Scan_Started
> > > > Antivirus-Scan_Finished
> > > > Antivirus-Error
> > > > Application-Web_Opened
> > > > Application-Web_Closed
> > > > Application-Web_Reset
> > > > Application-Web_Terminated
> > > > Application-Web_Denied
> > > > Application-Web_Redirected
> > > > Application-Web_Proxy
> > > > Application-Web_Error
> > > > Application-Web_Misc
> > > > Application-Web_Not_Found
> > > > Access-Traffic_Inbound
> > > > Access-Traffic_Outbound
> > > > Access-Firewall_Misc_Event
> > > > Suspicious-Network_Anomaly
> > > > Suspicious-DNS_Protocol_Anomaly
> > > > Suspicious-SSH_Protocol_Anomaly
> > > > Suspicious-Telnet_Protocol_Anomaly
> > > > Suspicious-HTTP_Protocol_Anomaly
> > > > Suspicious-Mail_Protocol_Anomaly
> > > > Suspicious-FTP_Protocol_Anomaly
> > > > Suspicious-Threshold_Exceeded
> > > > Denial_Of_Service-Other
> > > > Access-File_Blocked
> > > > Access-Tunnel_Connection
> > > > Access-Tunnel_Closed
> > > > System-Warning
> > > > System-Emergency
> > > > System-Critical
> > > > System-Error
> > > > System-Notification
> > > > System-Information
> > > > System-Debug
> > > > System-Alert
> > > > Access-Connection_Opened
> > > > Access-Connection_Closed
> > > > Access-Timeout
> > > > System-Service_Started
> > > > System-Service_Stopped
> > > > System-Process_Started
> > > > System-Process_Stopped
> > > > Application-Spam_Detected
> > > > Application-Mail_Dropped
> > > > System-Restart
> > > > System-Started
> > > > System-Stopped
> > > > System-Locked
> > > > System-Unlocked
> > > > Network-IKE_Activity
> > > > Network-H.323_Activity
> > > > Network-PPP_Activity
> > > > Network-OCSP_Activity
> > > > Network-L2TP_Activity
> > > > Network-RIP_Activity
> > > > Network-PPTP_Activity
> > > > Network-SSL_Activity
> > > > Network-IGMP_Activity
> > > > Network-IPSEC_Activity
> > > > Network-PKI_Activity
> > > > Voip-Call_Started
> > > > Voip-Call_Ended
> > > > Voip-Misc
> > > > Network-BOOTP_Activity
> > > > Alert-IDS_Alert
> > > > Alert-IPS_Alert
> > > > Alert-HostIDS_Alert
> > > > Application-Mail_Sent
> > > > Application-Mail_Server_Misc
> > > > Application-Mail_Received
> > > > Availability-State_Up
> > > > Availability-State_Down
> > > > Availability-State_Critical
> > > > Availability-State_Warning
> > > > Availability-State_Unknown
> > > > Availability-State_Unreachable
> > > > Application-VPN_Opened
> > > > Application-VPN_Closed
> > > > Application-VPN_Denied
> > > > Application-VPN_Misc
> > > > System-Configuration_Changed
> > > > Network-Misc
> > > > Policy-Phishing
> > > > Wireless-New_Network
> > > > Wireless-Client_Associated
> > > > Wireless-Flood
> > > > Wireless-Disassociation
> > > > Wireless-Deauthentication
> > > > Wireless-Anomaly
> > > > Wireless-Spoofing
> > > > Wireless-Scanner_Detected
> > > > Wireless-Misc
> > > > Wireless-Probe
> > > > Inventory-Service_Detected
> > > > Inventory-Service_Change
> > > > Inventory-Service_Misc
> > > > Inventory-Operating_System_Detected
> > > > Inventory-Operating_System_Change
> > > > Inventory-Operating_System_Misc
> > > > Inventory-Mac_Detected
> > > > Inventory-Mac_Change
> > > > Inventory-Mac_Misc
> > > > Policy-Check_Failed
> > > > Policy-Check_Passed
> > > > Network-High_Load
> > > > Authentication-Error
> > > > Application-Web_Modified
> > > > Authentication-Misc
> > > > Application-DHCP_Release
> > > > Application-DHCP_Misc
> > > > Application-DHCP_Request
> > > > Application-DHCP_Lease
> > > > Application-DHCP_Pool_Exhausted
> > > > Application-DHCP_Error
> > > > System-Software_Installed
> > > > Honeypot-Connection_Opened
> > > > Honeypot-Attack_Detected
> > > > Honeypot-Connection_Closed
> > > > Honeypot-Misc
> > > > Application-DNS_Succesful_Zone_Tranfer
> > > > Application-DNS_Zone_Transfer_Failed
> > > > Application-DNS_Misc
> > > > Application-FTP_Command_Executed
> > > > Application-FTP_Error
> > > > Application-FTP_Connection_Opened
> > > > Application-FTP_Connection_Closed
> > > > Application-FTP_Misc
> > > > Database-Login
> > > > Database-Login_Failed
> > > > Database-Query
> > > > Database-Logout
> > > > Database-Stop
> > > > Database-Start
> > > > Database-Error
> > > > Database-Misc
> > > >
> > > >
> > > > ----------------------------------------------------
> > > > Matthew Jonkman
> > > > Emergingthreats.net
> > > > Emerging Threats Pro
> > > > Open Information Security Foundation (OISF)
> > > > Phone 765-807-8630
> > > > Fax 312-264-0205
> > > > http://www.emergingthreatspro.com
> > > > http://www.openinfosecfoundation.org
> > > > ----------------------------------------------------
> > > >
> > > > PGP: http://www.jonkmans.com/mattjonkman.asc
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Emerging-sigs mailing list
> > > > Emerging-sigs () emergingthreats net
> > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > > >
> > > > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> > > > The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> >
> >
> > ----------------------------------------------------
> > Matthew Jonkman
> > Emergingthreats.net
> > Emerging Threats Pro
> > Open Information Security Foundation (OISF)
> > Phone 765-807-8630
> > Fax 312-264-0205
> > http://www.emergingthreatspro.com
> > http://www.openinfosecfoundation.org
> > ----------------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> > to consolidate database storage, standardize their database environment, and,
> > should the need arise, upgrade to a full multi-node Oracle RAC database
> > without downtime or disruption
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



-- 
Darren Spruell
phatbuckett () gmail com

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users