Snort mailing list archives

Re: classification changes

From: Max Vision <vision () whitehats com>
Date: Wed, 23 May 2001 08:01:17 -0700

At 02:11 AM 5/23/2001 -0400, Brian Caswell wrote:

We are going to change the classification for the Snort.org ruleset.
Sorry IDWG guys, your classifications.  The IDWG classifications are
just not viable.  I tried.  Its really bad.
Attached is the classification.config that will be included with snort
1.8.1 (Well, included into CVS as soon as I can clean up the rules)
If you have wishes/requests for default classifications, let me know
ASAP.  I will start changing rules within the next 2 days.

I wrote some info about this before but had email problems and it seems tobe gone (and not sent). Basically we came up with a good classificationsystem last week that has so far been a good fit for all of the intrusionevents. You can see this implemented athttp://whitehats.com/ids/vision18.conf.gz


You can see an overview of how this breaks down at:
http://whitehats.com/cgi/arachNIDS/BrowseTree?field=classtype&order=COUNT

The system we came up with is the following 20 classifications:
 not suspicious  (policy foo)
 suspicious (miscellaneous such as source routing ip opts)
 info / attempt,success,failed (information gathering)
 relay / attempt,success,failed (relay vuln like socks, spam, etc)
 data / attempt,success,failed (data integrity, such as snmp write)
 system / attempt,success,failed (system integrity, such as shell access)
 client / attempt,success,failed (client software attacks)
 data-or-info-attempt
 system-or-info-attempt
 relay-or-info-attempt

This allowed us to classify each known intrusion event. It was a strugglewith the IDWG system. The last three categories were required since wehave a lot of events where we can't see clearly which class the event isin. For example, a signature to catch just "phf" in uricontent data wouldcatch either an information gathering probe (is phf there?) or a systemintegrity attempt (let's push this linefeed through and run somecommands). So it would be inappropriate to pick one or the other unlessthere were several very specific variations of the signature to case eachcase. I can list some examples of why these classifications were chosen isanyone needs the info.


Max


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

classification changes Brian Caswell (May 22)
- Re: [Snort-devel] classification changes Chris Green (May 23)
  - Re: [Snort-devel] classification changes Brian Caswell (May 23)
    - Re: [Snort-devel] classification changes Chris Green (May 23)
  - Re: Re: [Snort-devel] classification changes Mike Johnson (May 23)
- Re: classification changes Max Vision (May 23)
- Re: [Snort-devel] classification changes Joe McAlerney (May 23)