Re: ..:: Unclassified rules ::..

["Alfonso Alejandro Reyes Jimenez" <aareyes () scitum com mx>]

Hi Joel, yeap I'm using barnyard2.

 

Regards.

 

 

De: Joel Esler [mailto:jesler () sourcefire com] 
Enviado el: jueves, 24 de marzo de 2011 05:13 p.m.
Para: Alfonso Alejandro Reyes Jimenez
CC: snort-sigs () lists sourceforge net
Asunto: Re: [Snort-sigs] ..:: Unclassified rules ::..

 

How are you getting events into the database?    Are you using barnyard?

 

Joel

 

On Mar 24, 2011, at 5:54 PM, Alfonso Alejandro Reyes Jimenez wrote:





Hi everyone.

 

I have a question about the rules, this question may be stupid but I
couldn't find any information on web.

 

My snorts works perfectly, no issues at all.

 

We are creating customized rules for our servers for example:

 

alert tcp any any -> $Mail 25 (content: "|76 72 66 79|"; msg: "Comando
SMTP ilegal, posible reconocimiento"; sid:1999993;
classtype:attempted-recon;)

 

The rule works fine and Base shows the correct signature ID, the only
issue is that the rule appear as unclassified in the gui. We have tried
adding the classtype to the signature with no luck.

 

How can we classify those rules?

 

Thanks in advance for your help.

 

Regards. 
  

 

--
Joel Esler
http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net

Twitter: http://twitter.com/snort

 

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org