Snort mailing list archives
Re: classification.config regression?
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 25 May 2013 20:14:34 -0400
I'll look into this. Thanks. Sent from my iPad On May 24, 2013, at 7:20 PM, Gregory S Thomas <greg.thomas () pnnl gov> wrote:
The classification.config file in the snort source tarball changed in 2.9.4.5 (and 2.9.4.6 has the same one as 2.9.4.5). Most of the changes are simply in capitalization, but it also removes 3 classifications that were introduced in 2.9.1 (file-format, malware-cnc, and client-side-exploit): shell> diff snort-2.9.4.1/etc/classification.config snort-2.9.4.5/etc/classification.config 47,54c47,54 < config classification: shellcode-detect,Executable code was detected,1 < config classification: string-detect,A suspicious string was detected,3 < config classification: suspicious-filename-detect,A suspicious filename was detected,2 < config classification: suspicious-login,An attempted login using a suspicious username was detected,2 < config classification: system-call-detect,A system call was detected,2 < config classification: tcp-connection,A TCP connection was detected,4 < config classification: trojan-activity,A Network Trojan was detected, 1 < config classification: unusual-client-port-connection,A client was using an unusual port,2 ---config classification: shellcode-detect,Executable Code was Detected,1 config classification: string-detect,A Suspicious String was Detected,3 config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 config classification: system-call-detect,A System Call was Detected,2 config classification: tcp-connection,A TCP Connection was Detected,4 config classification: trojan-activity,A Network Trojan was Detected, 1 config classification: unusual-client-port-connection,A Client was Using an Unusual Port,257c57 < config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 ---config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,259c59 < config classification: web-application-activity,access to a potentially vulnerable web application,2 ---config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,266,70c66,67 < config classification: default-login-attempt,Attempt to login by a default username and password,2 < config classification: sdf,Senstive Data,2 < config classification: file-format,Known malicious file or file based exploit,1 < config classification: malware-cnc,Known malware command and control traffic,1 < config classification: client-side-exploit,Known client side exploit attempt,1 ---config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2 config classification: sdf,Sensitive Data was Transmitted Across the Network,2This latest classification.config causes snort to exit during startup when it encounters a (custom) rule that uses one of the now-missing classifications. Will you restore the previous classification.config (from 2.9.4.1) in the next release, or are we supposed to modify our rules? Thanks, Greg Thomas ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- classification.config regression? Gregory S Thomas (May 24)
- Re: classification.config regression? waldo kitty (May 24)
- Re: classification.config regression? Joel Esler (May 25)