Snort mailing list archives
Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal
From: Darren Spruell <phatbuckett () gmail com>
Date: Thu, 23 Dec 2010 16:05:56 -0700
+1 I like the additional granularity this will provide although at the expense of some complexity in rule creation and handling (thinking SIEMs, etc.). Nice bipartisan move with the various representative communities too, well done! (Maybe US Congress could ... never mind). DS On Thu, Dec 23, 2010 at 2:02 PM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:
Reminder (sorry to spam) Go here to see the list, and leave comments, or discuss here on the list. http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html Matt On Dec 23, 2010, at 3:51 PM, Matthew Jonkman wrote:Certainly glad to hear that Joel! I think it'll be a good thing for us all to have similar classifications. I'd like to encourage everyone that's interested to put in your suggestions for additions and changes now. How about we call a January 12 2011 end date for suggestions? That gets us through the holidays and a week or more of everyone back to work before we and it. (plus I'm in no hurry to start reclassifying 14,000 signatures... :) ) Matt On Dec 23, 2010, at 2:25 PM, Joel Esler wrote:All, (Apologize in advance for cross-posting) Have some news to share from our side. After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping snort.conf and the VRT rule sets to it as well. We are creating a bug internally to do this, as we speak. Just a couple items however: 1. We've already started writing the new classification.conf file (with new priorities and descriptions). If you have started on this, we'll be glad to use it, but we'll keep writing until we are told differently. 2. We don't use "_", so we'll translate those over to "-". 3. We also don't use uppercase in the keywords, so we'll translate those to lower case. For example: Exploit-SQL_Injection will become exploit-sql-injection I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the community updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog (http://vrt-sourcefire.blogspot.com). Please feel free to email me with any questions! Thanks! Joel Esler Manager, OpenSource Community On Dec 15, 2010, at 2:42 PM, Matthew Jonkman wrote:Alienvault and Emerging Threats Pro have some very good news to share. Alienvault has been for some time working on and using a much more granular and expressive classification system for Snort and Suricata alerts. Emerging Threats and Emerging Threats Pro intend to adopt this classification system as an option for users, and we want to get your input. There are about 240 categories now, and we want to get everything added or changed that might be necessary while we're adopting the system. The proposed classification system is available here as well as being at the end of this message: http://www.emergingthreats.net/new_classifications_v1.txt We welcome your comment on what to add or change in this classification system. The goal is to make correlation and analysis systems able to make better decisions based on classifications, and potentially even allow blocking decisions to be made by classtype. The current classifications in use are vague and haven't been updated for some time, and many systems are making decisions based on them without much distinction between categories. So we'd like to make that better. Alienvault has done a lot of work in this area already and they'd like to push that out to the community. We'd like to take a week or two to let everyone look these over and comment, and then we'll get a version agreed upon and begin using that. For Emerging Threats and Emerging Threats Pro users it'll take us some time to reclassify the rules, but we'll get it done. We will publish two versions of the ruleset, one with the old classifications, and one with the new. The old classifications will be included in the new classifications file so we don't have any issues with backward compatible rules. We welcome other comments and concerns, but we're very excited about what Alienvault is donating to the community, and we're eager to implement! Please feel free to comment on the blog (http://blog/emergingthreatspro.com) or here. Exploit-Shellcode Exploit-SQL_Injection Exploit-Browser Exploit-ActiveX Exploit-Command_Execution Exploit-Cross_Site_Scripting Exploit-FTP Exploit-File_Inclusion Exploit-Windows Exploit-Directory_Traversal Exploit-Attack_Response Exploit-Denial_Of_Service Exploit-PDF Exploit-Buffer_Overflow Exploit-Spoofing Exploit-Format_String Exploit-Misc Exploit-DNS Exploit-Mail Exploit-Samba Exploit-Linux Authentication-Bruteforce Authentication-Bypass Authentication-Login Authentication-Failed Authentication-Cleartext Authentication-Logout Authentication-Disclosure Authentication-Default_Credentials Access-Web_Application_Access Access-File_Access Access-Misc Malware-Spyware Malware-Adware Malware-Fake_Antivirus Malware-KeyLogger Malware-Trojan Malware-Virus Malware-Worm Malware-Generic Malware-Backdoor Policy-Porn Policy-P2P Policy-Instant_Messaging_Chat Policy-Anonymity Policy-Games Policy-Other Denial_Of_Service-Web_Application Denial_Of_Service-Application Denial_Of_Service-Flood Denial_Of_Service-DDoS Suspicious-Blacklist_Address Suspicious-Web_Attack_or_Scan Suspicious-Bad_Traffic Suspicious-Network_Activity Suspicious-Scada_Activity Suspicious-DNS_Activity Suspicious-SSH_Activity Suspicious-NFS_Activity Suspicious-Database_Activity Suspicious-Netbios_Activity Suspicious-RPC_Activity Suspicious-Mail_Activity Network-TFTP_Activity Network-FTP_Activity Network-SNMP_Activity Network-SMTP_Activity Network-Telnet_Activity Recon-Misc Recon-Scanner Info-Misc Network-NTP_Activity Network-SIP_Activity Network-DHCP_Activity Access-Firewall_Permit Access-Firewall_Deny Access-ACL_Permit Access-ACL_Deny Authentication-Policy_Added Authentication-Policy_Changed Authentication-Policy_Deleted Authentication-FTP_Login_Succeeded Authentication-FTP_Login_Failed Authentication-Password_Change_Failed Authentication-Password_Change_Succeeded Authentication-User_Created Authentication-User_Deleted Authentication-User_Changed Authentication-Admin_Access Authentication-Group_Added Authentication-Group_Deleted Authentication-Group_Changed Authentication-Auth_Required Authentication-Account_Lockout Authentication-Account_Unlocked Malware-Virus_Detected Antivirus-Virus_Detected Antivirus-Virus_Quarantine Antivirus-Virus_Quarantine_Failed System-Configuration_Error Antivirus-Definitions_Updated Antivirus-Definitions_Updated_Failed Antivirus-Unknown_Event Antivirus-Started Antivirus-Disabled Antivirus-Scan_Started Antivirus-Scan_Finished Antivirus-Error Application-Web_Opened Application-Web_Closed Application-Web_Reset Application-Web_Terminated Application-Web_Denied Application-Web_Redirected Application-Web_Proxy Application-Web_Error Application-Web_Misc Application-Web_Not_Found Access-Traffic_Inbound Access-Traffic_Outbound Access-Firewall_Misc_Event Suspicious-Network_Anomaly Suspicious-DNS_Protocol_Anomaly Suspicious-SSH_Protocol_Anomaly Suspicious-Telnet_Protocol_Anomaly Suspicious-HTTP_Protocol_Anomaly Suspicious-Mail_Protocol_Anomaly Suspicious-FTP_Protocol_Anomaly Suspicious-Threshold_Exceeded Denial_Of_Service-Other Access-File_Blocked Access-Tunnel_Connection Access-Tunnel_Closed System-Warning System-Emergency System-Critical System-Error System-Notification System-Information System-Debug System-Alert Access-Connection_Opened Access-Connection_Closed Access-Timeout System-Service_Started System-Service_Stopped System-Process_Started System-Process_Stopped Application-Spam_Detected Application-Mail_Dropped System-Restart System-Started System-Stopped System-Locked System-Unlocked Network-IKE_Activity Network-H.323_Activity Network-PPP_Activity Network-OCSP_Activity Network-L2TP_Activity Network-RIP_Activity Network-PPTP_Activity Network-SSL_Activity Network-IGMP_Activity Network-IPSEC_Activity Network-PKI_Activity Voip-Call_Started Voip-Call_Ended Voip-Misc Network-BOOTP_Activity Alert-IDS_Alert Alert-IPS_Alert Alert-HostIDS_Alert Application-Mail_Sent Application-Mail_Server_Misc Application-Mail_Received Availability-State_Up Availability-State_Down Availability-State_Critical Availability-State_Warning Availability-State_Unknown Availability-State_Unreachable Application-VPN_Opened Application-VPN_Closed Application-VPN_Denied Application-VPN_Misc System-Configuration_Changed Network-Misc Policy-Phishing Wireless-New_Network Wireless-Client_Associated Wireless-Flood Wireless-Disassociation Wireless-Deauthentication Wireless-Anomaly Wireless-Spoofing Wireless-Scanner_Detected Wireless-Misc Wireless-Probe Inventory-Service_Detected Inventory-Service_Change Inventory-Service_Misc Inventory-Operating_System_Detected Inventory-Operating_System_Change Inventory-Operating_System_Misc Inventory-Mac_Detected Inventory-Mac_Change Inventory-Mac_Misc Policy-Check_Failed Policy-Check_Passed Network-High_Load Authentication-Error Application-Web_Modified Authentication-Misc Application-DHCP_Release Application-DHCP_Misc Application-DHCP_Request Application-DHCP_Lease Application-DHCP_Pool_Exhausted Application-DHCP_Error System-Software_Installed Honeypot-Connection_Opened Honeypot-Attack_Detected Honeypot-Connection_Closed Honeypot-Misc Application-DNS_Succesful_Zone_Tranfer Application-DNS_Zone_Transfer_Failed Application-DNS_Misc Application-FTP_Command_Executed Application-FTP_Error Application-FTP_Connection_Opened Application-FTP_Connection_Closed Application-FTP_Misc Database-Login Database-Login_Failed Database-Query Database-Logout Database-Stop Database-Start Database-Error Database-Misc ---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-- Darren Spruell phatbuckett () gmail com ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Victor Julien (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal Darren Spruell (Dec 24)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Paul Halliday (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Randal T. Rioux (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Victor Julien (Dec 23)