Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort classification Question

From: Mike Hale <eyeronic.design () gmail com>
Date: Tue, 21 Aug 2012 21:25:55 -0700
"but it had overlap and I think that was not complete"
That's okay.  This is how you learn.  :)

Find a specific rule that you have a question about.  I'm sorry to say
that I don't have the requisite skill to explain them to you, but if
you have a specific part of the rule (or a specific attribute) that
you have a question on, I think you'll get a good response.

Joel is an amazing resource to the Snort community, but his time is
limited, which is why you need to get the specifcs.

On Tue, Aug 21, 2012 at 9:19 PM, mohamad hosein jafari
<smhjafari68 () gmail com> wrote:

thanks

But I read and did the work that you said and at last I found the links like
these links :
http://www.aldeid.com/wiki/Snort-alerts
http://www.genome.ist.i.kyoto-u.ac.jp/snsn/130/54/21/dest130.54.21.199-all.html
http://www.snort.org/search/results?limit=25&page=1&q=TCP

And Also first I want to write some rules and classify alerts . but it had
overlap and I think that was not complete
So I read snort rules to know why snort team create these classtype . That
was reson that I want to know snort classtype . also alert's name and
explanation is not enough for my request . so I need more explain for each
classtype that is in this link :
http://manual.snort.org/node31.html#SECTION00444000000000000000

Thanks

On Tue, Aug 21, 2012 at 9:08 PM, Mike Hale <eyeronic.design () gmail com>
wrote:


Mohamad,

You're asking a really broad question.  The rule alert is fairly self
explanatory.

A better way to obtain your answer is to do the following:

- Read the documentation governing Snort rules
- Understand the documentation governing Snort rules
- Write some rules yourself and understand what they do
- Look at the rules you have questions about and, using your newfound
knowledge, understand what they do.

If you still don't understand what specific rules do, then feel free
to post a question; you'll likely get an answer.


On Tue, Aug 21, 2012 at 8:52 PM, mohamad hosein jafari
<smhjafari68 () gmail com> wrote:

thanks

So does'nt you have more information than explanation of alerts ?
Or do rule writers write more explanation than alert Msg explanation in
any
reference?




On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <wkitty42 () windstream net>
wrote:


On 8/21/2012 21:47, Joel Esler wrote:

I'm not going to do that. You need to read the manual for how the
rules
work and
then you need to read the references found in the rules themselves.
We're not
going to explain 22,000+ rules. :)

Thanks, but you need to read some documentation.


the key factor is that there is no reference other than the one conf
file...
other than that, any rule writer is free to use any classification the
desire
for their rule... there are times that the MSG of a rule gives more
information
than the classification... especially considering that there are only
really 3
classification numericals used...



--
Joel Esler
Sent from my iPad

On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari
<smhjafari68 () gmail com
<mailto:smhjafari68 () gmail com>> wrote:


Yes . But
I want reference for my need. Because I think that is too much .
Thanks

On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler () sourcefire com
<mailto:jesler () sourcefire com>> wrote:

    So, to be clear, you want me to explain all the rules to you?


    On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari
<smhjafari68 () gmail com
    <mailto:smhjafari68 () gmail com>> wrote:



        You'd have to look in the rules themselves for what rules
use
this
        classification. For instance, non-standard-protocol,
actually
only
        has one rule that uses it.

        The classifications are assigned by the VRT member who
writes
the
        rule, and then when it's published it's reviewed to see if
that makes
        sense.

    yes I want the things that you said . But where can I find
this?
In other
    words where rule writers put their classification's explain on?
    Also I want some explain about ALL snort alerts consist : Type
,
    mechanism , effect And its resource .

    I have these two question . And I want reference for these. Can
you help me?

    Thanks







------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort
news!





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort
news!




--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0







-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: