Snort mailing list archives

Re: [Emerging-Sigs] New Classification System Proposal

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 23 Dec 2010 17:10:23 -0500

Paul et all, I apologize if it seemed like I was being brief with my response, I wasn't "dictating" how it was going to 
be.

By using hyphens and lowercase, all output modules from Snort, parsers, and GUIs won't have to change.  If we introduce 
even one of those, all of the previous will have to recode.

It's a compatibility thing.  I wasn't being snarky or acting like a dictator, I was being brief, on my iPhone, and at 
the Doctor's office.

Sorry if I offended anyone.

J

On Dec 23, 2010, at 4:15 PM, Paul Halliday wrote:

On Thu, Dec 23, 2010 at 3:25 PM, Joel Esler <jesler () sourcefire com> wrote:

All,

(Apologize in advance for cross-posting)
Have some news to share from our side.

After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping 
snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.

Just a couple items however:
1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you 
have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
2.  We don't use "_", so we'll translate those over to "-".
3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.

For example: Exploit-SQL_Injection will become exploit-sql-injection


So the same, but different :)

I think that all lowercase makes sense. I also think that an
underscore makes sense. Without it, more logic will be required when
trying to group.



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Victor Julien (Dec 23)
  - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
- Re: [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
  - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Matthew Jonkman (Dec 23)
    - Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
    - Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal Darren Spruell (Dec 24)
- Re: [Emerging-Sigs] New Classification System Proposal Paul Halliday (Dec 23)
  - Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
  - Re: [Emerging-Sigs] New Classification System Proposal Joel Esler (Dec 23)
    - Re: [Emerging-Sigs] New Classification System Proposal Randal T. Rioux (Dec 23)