Snort mailing list archives
Re: snort classification Question
From: mohamad hosein jafari <smhjafari68 () gmail com>
Date: Sun, 26 Aug 2012 10:49:46 +0430
thanks for your help Mike & Waldo and I have another question about classification : on snort site on search of this site ( http://www.snort.org/search ) we can search alerts that are in one classify that we search I did search on all snort classify But I did not find any result WHY? inappropriate-content successful-dos successful-recon-largescale icmp-event not-suspicious thanks On Sun, Aug 26, 2012 at 9:01 AM, waldo kitty <wkitty42 () windstream net>wrote:
On 8/25/2012 17:01, Mike Hale wrote:I'm sure those categories were created because, at the time of creating, they were the best method of classifying alerts on a macro level. It's up to you, the rule author, to find one that best suits your rule.one must also understand that these were created "on the fly" in the past and only recently have they been expanded BUT they still use a level 1, 2 or 3 rating where level 1 is the worst and level 3 is the least... in the past, there was also a level zero which was, AFAICR, what the built-in processors emitted... i know that this is one of the reasons why i undertook to rewrite the Guardian Active Response mod that many have used in conjunction with snort so as to have an automated response system that reacted to snort's alerts... i'll let the rest of the message alone for now... i don't know that i have anything really to add to it... the main thing is that one must learn what the *rules* are triggering on and one */must/* tune their snort installation to their network and its activities... a perfect example is protecting a network of users where there is no servers in place at all... generally speaking, and looking at it from many folks' POV, you would not run server rules in that case... but if you are like myself, you would because you would want to catch any unknown servers emitting traffic... there are two sides to the coin and many in the security industry only look at that traffic which affects their known services... so they don't catch the incessant attempts to connect to port 3306 (as an example) when there is no port 3306 available on their networks... but my thinking is that anyone trying to connect to port 3306 is exhibiting nefarious and unwanted activity... if they lead off with attempts to connect to port 3306, what other ports are they going to be probing/attacking? why not catch them testing your home doorknob to see if it is unlocked and block them there before they get a chance to probe some other port and find it open to their attacks?? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort classification Question, (continued)
- Re: snort classification Question Joel Esler (Aug 22)
- Re: snort classification Question mohamad hosein jafari (Aug 22)
- Re: snort classification Question waldo kitty (Aug 23)
- Re: snort classification Question mohamad hosein jafari (Aug 24)
- Re: snort classification Question Jeremy Hoel (Aug 24)
- Re: snort classification Question Mike Hale (Aug 24)
- Re: snort classification Question mohamad hosein jafari (Aug 24)
- Re: snort classification Question waldo kitty (Aug 25)
- Re: snort classification Question Mike Hale (Aug 25)
- Re: snort classification Question waldo kitty (Aug 25)
- Re: snort classification Question mohamad hosein jafari (Aug 25)
- Re: snort classification Question beenph (Aug 21)
- Re: snort classification Question mohamad hosein jafari (Aug 21)