Snort mailing list archives
Re: Snort Rules Issues
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Wed, 24 Sep 2014 09:51:14 +0100
Hi Felix, You should have the following line, in step 6 of your snort.conf file: include classification.config There should be a line in your classification.config file that looks like this: config classification: web-application-attack,Web Application Attack,1 You may have an outdated classifiction.config file that does not include all the new classifications. # NEW CLASSIFICATIONS config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable Code was Detected,1 config classification: string-detect,A Suspicious String was Detected,3 config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 config classification: system-call-detect,A System Call was Detected,2 config classification: tcp-connection,A TCP Connection was Detected,4 config classification: trojan-activity,A Network Trojan was Detected, 1 config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2 config classification: sdf,Sensitive Data was Transmitted Across the Network,2 config classification: file-format,Known malicious file or file based exploit,1 config classification: malware-cnc,Known malware command and control traffic,1 config classification: client-side-exploit,Known client side exploit attempt,1 I hope that helps. Best regards, Simon.
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Rules Issues Tarzan538 NONO (Sep 23)
- Re: Snort Rules Issues waldo kitty (Sep 23)
- <Possible follow-ups>
- Re: Snort Rules Issues Simon Wesseldine (Sep 24)
- Re: Snort Rules Issues Simon Wesseldine (Sep 25)