Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort classification Question

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 22 Aug 2012 07:01:32 -0600
Mohamad,

I think in this case, you are the person who can help yourself :)  This is the link that discusses class types found in 
snort:

http://manual.snort.org/node31.html#SECTION00446000000000000000

That being shown, some class types are a bit subjective.  Let's take "policy-violation" as an example.  Let's say I see 
an alert for hotmail access:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: 
to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; 
reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:13;)


Now….does my organization have a policy against using hotmail?  If so, then this is a valid alert, and I need to go 
talk to someone.  If not, then this isn't relevant, and I should disable this rule.

At my work I use sguil and I've lumped a lot of these class types into a single category, "non=malicious".  Read the 
link above, play around, and look at the actual packet content of the alert to see how it fits into a class-type.  Hope 
that helps.

James



On Aug 22, 2012, at 2:23 AM, mohamad hosein jafari <smhjafari68 () gmail com> wrote:


who can help me in my needs?

On Tue, Aug 21, 2012 at 9:32 PM, mohamad hosein jafari <smhjafari68 () gmail com> wrote:
I need more information about these classtypes :
"""
tcp-connection
unknown
protocol-command-decode
icmp-event
web-application-activity
non-standard-protocol
policy-violation
"""
I need your help in these classtypes and I have more information about and some alert that was in these categories
 
Thanks


 



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: