Snort mailing list archives

Re: classification.config regression?

From: Joel Esler <jesler () sourcefire com>
Date: Sat, 25 May 2013 20:14:34 -0400

I'll look into this.  Thanks. 

Sent from my iPad

On May 24, 2013, at 7:20 PM, Gregory S Thomas <greg.thomas () pnnl gov> wrote:

The classification.config file in the snort source tarball changed in 2.9.4.5 (and 2.9.4.6 has the same one as 
2.9.4.5).  Most of the changes are simply in capitalization, but it also removes 3 classifications that were 
introduced in 2.9.1 (file-format, malware-cnc, and client-side-exploit):

shell> diff snort-2.9.4.1/etc/classification.config snort-2.9.4.5/etc/classification.config
47,54c47,54
< config classification: shellcode-detect,Executable code was detected,1
< config classification: string-detect,A suspicious string was detected,3
< config classification: suspicious-filename-detect,A suspicious filename was detected,2
< config classification: suspicious-login,An attempted login using a suspicious username was detected,2
< config classification: system-call-detect,A system call was detected,2
< config classification: tcp-connection,A TCP connection was detected,4
< config classification: trojan-activity,A Network Trojan was detected, 1
< config classification: unusual-client-port-connection,A client was using an unusual port,2
---

config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2

57c57
< config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
---

config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2

59c59
< config classification: web-application-activity,access to a potentially vulnerable web application,2
---

config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2

66,70c66,67
< config classification: default-login-attempt,Attempt to login by a default username and password,2
< config classification: sdf,Senstive Data,2
< config classification: file-format,Known malicious file or file based exploit,1
< config classification: malware-cnc,Known malware command and control traffic,1
< config classification: client-side-exploit,Known client side exploit attempt,1
---

config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the Network,2


This latest classification.config causes snort to exit during startup when it encounters a (custom) rule that uses 
one of the now-missing classifications.  Will you restore the previous classification.config (from 2.9.4.1) in the 
next release, or are we supposed to modify our rules?

Thanks,

Greg Thomas

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

classification.config regression? Gregory S Thomas (May 24)
- Re: classification.config regression? waldo kitty (May 24)
- Re: classification.config regression? Joel Esler (May 25)