Re: [Snort-devel] classification changes

[Chris Green <cmg () uab edu>]

Brian Caswell <bmc () mitre org> writes:
> > I don't think url-access/exploit are any different than attempted-user
> > in the large scheme of things.
>
> Actually, I do.  One is an exploit.  One is just a probe.  I'm much
> more concerned if someone does /scripts/../../../winnt/cmd.exe than if
> they do /cgi-bin/phf

Thats what I was trying to say. Didn't say it clearly enough

> > service-probe for like a bind.version
> > attempted-admin for an root exploit
> >
> > attempted-user for an exploit that will give you nobody privledges

phf would be a service-probe, cmd would be an attempted-user

I was arguing that url-attempt / url-exploit are the same as a
service-probe and an attempted-user-exploit


> > host-mapping == os identification? That sounds like a specific
> > information
>
> host-mapping would contain NMAP probes, and things host -> many hosts
> targetting a single port.  Actually, I will be releasing HOMER soon,
> an alert correlation engine that we at MITRE have developed.  (See the
> SANS paper on Intrusion Detection & Data Mining)  This classification
> is used by those things.  

Ah, I would have called host-mapping "network-mapping".

-- 
Chris Green <cmg () uab edu>
"Yeah, but you're taking the universe out of context."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users