Snort mailing list archives
Re: [Emerging-Sigs] [Snort-devel] New Proposed Classification.config file setup
From: Martin Holste <mcholste () gmail com>
Date: Mon, 27 Dec 2010 10:41:03 -0600
On Mon, Dec 27, 2010 at 9:48 AM, Martin Roesch <roesch () sourcefire com> wrote:
Yeah, I guess I didn't say it but I was recommending new keywords so that we wouldn't break backwards compatibility. I do favor mapping of assigned enumeration values to strings though, I don't just want random metadata because that can lead to a Tower of Babel situation where people start baking up nonstandard things that break external event processors.
Yes, as a logging/SIEM guy (I'm active on the Syslog-NG list as well), I am very much in favor of using integers wherever possible. There's certainly no reason long-term not to implement a sid-msg.map-like lookup for tag intval-to-string. That, of course, also mandates some standardization for the tags being used, which obviously a good thing.
Doing the metadata tag thing is fine in the near term as a "let's do something now" solution for people who need it sooner rather than later but I don't think adding new keywords should be all that tough in this particular case. Does info in the metadata fields even make it into unified 2 output? I'm not in a place where I can look it up at the moment and I don't remember... Marty
I'm really pushing for tagging because there will be such an immediate benefit to getting something simple going. Being able to just reliably grep something like "zeus" and "check-in" from the alerts will make such an impact for communicating to NOC staff which events are important enough to alert the SIRT in the middle of the night. I value my sleep, gentlemen! The tag values won't need to be included in unified2 output in the same way that sig names are not included. It's up to the app to do the lookup to resolve ints to strings. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- New Proposed Classification.config file setup Joel Esler (Dec 23)
- Re: New Proposed Classification.config file setup Martin Roesch (Dec 23)
- Re: New Proposed Classification.config file setup Joshua.Kinard (Dec 23)
- Re: New Proposed Classification.config file setup Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Holste (Dec 26)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Roesch (Dec 27)
- Re: [Emerging-Sigs] [Snort-devel] New Proposed Classification.config file setup Martin Holste (Dec 27)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Joshua.Kinard (Dec 27)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Martin Holste (Dec 28)
- Re: [Emerging-Sigs] New Proposed Classification.config file setup Gregory W. MacPherson (Dec 28)
- Re: New Proposed Classification.config file setup Joshua.Kinard (Dec 23)
- Re: New Proposed Classification.config file setup Martin Roesch (Dec 23)
- <Possible follow-ups>
- Re: New Proposed Classification.config file setup Crusty Saint (Dec 28)