Snort mailing list archives
Re: snort classification Question
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 22 Aug 2012 07:01:32 -0600
Mohamad, I think in this case, you are the person who can help yourself :) This is the link that discusses class types found in snort: http://manual.snort.org/node31.html#SECTION00446000000000000000 That being shown, some class types are a bit subjective. Let's take "policy-violation" as an example. Let's say I see an alert for hotmail access: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:13;) Now….does my organization have a policy against using hotmail? If so, then this is a valid alert, and I need to go talk to someone. If not, then this isn't relevant, and I should disable this rule. At my work I use sguil and I've lumped a lot of these class types into a single category, "non=malicious". Read the link above, play around, and look at the actual packet content of the alert to see how it fits into a class-type. Hope that helps. James On Aug 22, 2012, at 2:23 AM, mohamad hosein jafari <smhjafari68 () gmail com> wrote:
who can help me in my needs? On Tue, Aug 21, 2012 at 9:32 PM, mohamad hosein jafari <smhjafari68 () gmail com> wrote: I need more information about these classtypes : """ tcp-connection unknown protocol-command-decode icmp-event web-application-activity non-standard-protocol policy-violation """ I need your help in these classtypes and I have more information about and some alert that was in these categories Thanks
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort classification Question, (continued)
- Re: snort classification Question Joel Esler (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 21)
- Re: snort classification Question Joel Esler (Aug 21)
- Re: snort classification Question waldo kitty (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 21)
- Re: snort classification Question Mike Hale (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 21)
- Re: snort classification Question Mike Hale (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 22)
- Re: snort classification Question James Lay (Aug 22)
- Re: snort classification Question Joel Esler (Aug 22)
- Re: snort classification Question mohamad hosein jafari (Aug 22)
- Re: snort classification Question waldo kitty (Aug 23)
- Re: snort classification Question mohamad hosein jafari (Aug 24)
- Re: snort classification Question Jeremy Hoel (Aug 24)
- Re: snort classification Question Mike Hale (Aug 24)
- Re: snort classification Question mohamad hosein jafari (Aug 24)
- Re: snort classification Question waldo kitty (Aug 25)
- Re: snort classification Question Mike Hale (Aug 25)
- Re: snort classification Question waldo kitty (Aug 25)