New Classification System Finalization

[Matthew Jonkman <jonkman () emergingthreatspro com>]

As you may recall, Alienvault (http://www.alienvault.com), the home of OSSIM, has very generously offered to the snort 
and suricata communities the classification system they've developed to better categorize and react to IDS events. 
We're excited about this, especially in suricata, and we have already begun the changes required to allow us at 
Emerging Threats Pro and Emerging Threats Open to distribute the rulesets in both forms. 

We had called an end to comments by Jan 12, but discussion has continued mostly privately. A few points to iron out yet:

1. Sourcefire has proposed to change all underscores to dashes. 
I feel the underscores are an important differentiator. But older snort's may not handle that well. Suricata will 
handle them fine. But having differing systems is going to be a challenge of course. 

2. Sourcefire also proposes to lower-case everything.
Shouldn't be a big deal if no one objects.

3. We also need to assign priorities to the events. Sourcefire in the link below has proposed how they might look. We 
need feedback there. 
Perhaps we put up a simple web app to let folks go through and prioritize and we can take the average over a few weeks 
of input?

-----------

Initial posts are here:
http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html

and here:
http://blog.snort.org/2011/01/classification-comments.html

The actual system is here as proposed by Alienvault:

http://www.emergingthreats.net/new_classifications_v1.txt

And a version proposed by Sourcefire. 
http://www.snort.org/assets/157/classifications.txt

-----------

I propose these steps as a way forward:

1. Lets get more feedback on the lists (the snort lists, the oisf lists, and the emerging lists).

2. We have an OISF brainstorming session at RSA in a week and a half 
(http://www.openinfosecfoundation.org/index.php/component/content/article/34-general-content/109-the-next-oisf-brainstorming-meeting)
This is on the agenda there, lets get some more discussion and we will summarize this on the lists

Lets call the End of February the final date, adopt an official classification.conf and move forward!

Matt



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users