Re: snort classification Question

[mohamad hosein jafari <smhjafari68 () gmail com>]

thanks for your help Mike & Waldo

and I have another question about classification :
on snort site on search of this site ( http://www.snort.org/search ) we can
search alerts that are in one classify that we search
I did search on all snort classify But I did not find any result  WHY?
inappropriate-content
successful-dos
successful-recon-largescale
icmp-event
not-suspicious


thanks

On Sun, Aug 26, 2012 at 9:01 AM, waldo kitty <wkitty42 () windstream net>wrote:

> On 8/25/2012 17:01, Mike Hale wrote:
> > I'm sure those categories were created because, at the time of
> > creating, they were the best method of classifying alerts on a macro
> > level.  It's up to you, the rule author, to find one that best suits
> > your rule.
>
> one must also understand that these were created "on the fly" in the past
> and
> only recently have they been expanded BUT they still use a level 1, 2 or 3
> rating where level 1 is the worst and level 3 is the least... in the past,
> there
> was also a level zero which was, AFAICR, what the built-in processors
> emitted...
> i know that this is one of the reasons why i undertook to rewrite the
> Guardian
> Active Response mod that many have used in conjunction with snort so as to
> have
> an automated response system that reacted to snort's alerts...
>
> i'll let the rest of the message alone for now... i don't know that i have
> anything really to add to it... the main thing is that one must learn what
> the
> *rules* are triggering on and one */must/* tune their snort installation to
> their network and its activities... a perfect example is protecting a
> network of
> users where there is no servers in place at all... generally speaking, and
> looking at it from many folks' POV, you would not run server rules in that
> case...
>
> but if you are like myself, you would because you would want to catch any
> unknown servers emitting traffic... there are two sides to the coin and
> many in
> the security industry only look at that traffic which affects their known
> services... so they don't catch the incessant attempts to connect to port
> 3306
> (as an example) when there is no port 3306 available on their networks...
> but my
> thinking is that anyone trying to connect to port 3306 is exhibiting
> nefarious
> and unwanted activity... if they lead off with attempts to connect to port
> 3306,
> what other ports are they going to be probing/attacking? why not catch them
> testing your home doorknob to see if it is unlocked and block them there
> before
> they get a chance to probe some other port and find it open to their
> attacks??
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!