Re: [Emerging-Sigs] New Proposed Classification.config file setup

[Frank Knobbe <frank () knobbe us>]

On Thu, 2010-12-23 at 17:27 -0500, Joel Esler wrote:
> As mentioned earlier, here's the proposed Classification.config file
> setup posted and available for download here:
>
>
> http://blog.snort.org/2010/12/new-proposed-classificationconfig-file.html
>
>
> Please take a look, leave comments preferably on the blog, but also
> here would be fine.  


I think that's way overkill. If you attempt to include all protocols
into a classification system, you'll create more complexity and
potential confusion, making the system less useful. For starters, where
is exploit-pop3? (add your favorite protocol that's not on the list).

Class and subclass concept is fine. We've been using such a
classification in our system for while. However, breaking it out by type
and protocol does not appear to make much sense, at least to me.

I believe a simpler system that doesn't mushroom by the power of 2 would
be more effective and easier to use.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel