Snort mailing list archives
Re: Difference between rule classification and rule priority?
From: Jeff Murphy <jeff.murphy () gmail com>
Date: Fri, 29 Apr 2011 11:43:20 -0400
+1 to tags. Currently I'm overloading the msg field and using it to tag rules and letting the SIEM figure things out based on that. I'd like to see a 'confidence' score that rule repositories can adjust based on reports of FPs or confirmations. A definition of the score and algorithm should be included as well, ofcourse, to avoid ambiguities between rule repositories. jeff On Apr 28, 2011, at 11:30 AM, Martin Holste wrote:
I find both classification and priority to be all but useless in their current forms. Classification is going to get an overhaul shortly, which will definitely improve its usefulness. Priority is so subjective and context-dependent that it is tactically unhelpful. There may be rare cases in which it is a helpful indicator, but I have yet to see one. I have yet to be told why message tags (essentially an array of classifications) have not been implemented as it would solve many issues and provide much more inherent context for analysts. In short, I would pay far more attention to the references in the rule than the priority or classification. You need to understand why the rule fired and make your own decision regarding what the consequences are for your org. You will need tools to do that. At a minimum, run daemonlogger to collect network traffic and get netflow from routers for sessions. Alternatively, run sancp to do both. It will be more than worth the initial setup time. On Thu, Apr 28, 2011 at 9:38 AM, Andy Berryman <aberryman () cymtec com> wrote:I asked on the google groups with no answer, so I’m asking here. But I thought the two were combined. If the rule classifications are 1-4, with 1 being the highest (omg omg omg) and 4 being the lowest (eh, who cares) But the priority that you can set in the rules can be a priority 10 for instance. What level would that be? Would the higher the "priority" be like the lower the classtype? Thanks, Andy ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Difference between rule classification and rule priority? Andy Berryman (Apr 28)
- Re: Difference between rule classification and rule priority? Martin Holste (Apr 28)
- Re: Difference between rule classification and rule priority? Jeff Murphy (Apr 29)
- Re: Difference between rule classification and rule priority? Martin Holste (Apr 28)