Re: [Emerging-Sigs] New Proposed Classification.config file setup

[Nigel Houghton <nhoughton () sourcefire com>]

On Tue, 22 Mar 2011 07:08:43 -0700 (PDT), onelson wrote:
> Sorry I'm coming to this thread a bit late. I'm going to have to take 
> a minute to pick through all that's been posted here, but I just 
> wanted to say that in the short
> time I've been working with snort, the thing that's struck me as a 
> pain are the events with sigs that aren't classified at all. Maybe 
> this is not the role of the engine itself, 
> but I'd almost like to see snort refuse to load rules that match sigs 
> that are missing a class.
>
> I love the idea of using tags (many to many) rather than a straight 
> sig class (one to many), but in the case of illustrating 
> protocols/services in play for 
> the sig I'd say the data is already there. It should be up to the log 
> viewer or analyst to query for ports, etc.
>
> Also, integers ftw! I'd love it if the ids for these new class/tag 
> records could be defined up front, but I guess that's one of those 
> things.
>
> Regards,
> Owen Nelson

Which rules without classtype are you referring to? I don't see any 
rules (regular, shared object and preprocessor) without a classtype at 
all.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel