Re: [Emerging-Sigs] New Classification System Finalization

[waldo kitty <wkitty42 () windstream net>]

On 1/31/2011 14:28, Matthew Jonkman wrote:
> As you may recall, Alienvault (http://www.alienvault.com), the home of OSSIM, has very generously offered to the 
> snort and suricata communities the classification system they've developed to better categorize and react to IDS 
> events. We're excited about this, especially in suricata, and we have already begun the changes required to allow us 
> at Emerging Threats Pro and Emerging Threats Open to distribute the rulesets in both forms.
>
> We had called an end to comments by Jan 12, but discussion has continued mostly privately. A few points to iron out 
> yet:
>
> 1. Sourcefire has proposed to change all underscores to dashes.
> I feel the underscores are an important differentiator. But older snort's may not handle that well. Suricata will 
> handle them fine. But having differing systems is going to be a challenge of course.

count this as one voice for keeping the underscores... they are an important 
part of things... especially when they are used to split a main "category" from 
a "sub-category" (ie: thistrash, thistrash_group1, thistrash_group1-range3, 
thistrash_group2, thistrash_group2-range1)

> 2. Sourcefire also proposes to lower-case everything.
> Shouldn't be a big deal if no one objects.

at this time, i don't see a problem with lowcase on everything... heck, i type 
in lowcase almost all the time... caps are for Emphasis when Necessary! :P

> 3. We also need to assign priorities to the events. Sourcefire in the link below has proposed how they might look. We 
> need feedback there.
> Perhaps we put up a simple web app to let folks go through and prioritize and we can take the average over a few 
> weeks of input?

sounds good to me... unfortunately, i'm still in the position of working out how 
tags can be used in the app(s) i develop... currently, if they do not appear in 
the snort alert file, they are as alien as... well... aliens :P

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users