RE: Changing a Classification

["Graham, Robert" <rgraham () mem-ins com>]

Kenneth,

I using Demarc instead of ACID.  I went ahead and recreated the kickass-porn
classification with the same ID as before and then renamed it to just Porn
using sql.  This seemed to do the trick.

Thanks for your help

-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold () cbu edu]
Sent: Friday, January 24, 2003 9:47 AM
To: Graham, Robert
Subject: Re: [Snort-users] Changing a Classification


I presume that you are referring to the actual snort alerts file?  If so I
can't help you.  If you are referring to the output of ACID then you need
to know that the classifications are stored in the database for each
signature and I don't think they change once you change the classification
in the snort rules.  You can change them with sql however.
Ken

On Thu, 23 Jan 2003, Graham, Robert wrote:

> I created a new classification to replace "kickass-porn" with a
> classification of just "Porn".  I gave it a description and priority and
> changed the classtype to Porn in the signatures and restarted snort.  The
> result of this caused some signatures to classify it as "Porn" and some to
> classify it as "kick-Ass Porn".  I double checked the classtype and they
are
> all set to "Porn".  I then deleted the "kickass-Porn" classification,
> restarted snort, and now it reports some of the porn alerts as
> classification "-" and others as "Porn".  What I'm I doing wrong?
>
> Snort Version: 1.8.6 (Build 105)
> OS: Redhat 7.2
> Demarc Interface