[Snort-devel] classification changes

Chris Green cmg at ...81...
Wed May 23 09:16:17 EDT 2001


[ is there anyone on devel that isn't on users? ]

Brian Caswell <bmc at ...227...> writes:

> We are going to change the classification for the Snort.org ruleset. 
> Sorry IDWG guys, your classifications.  The IDWG classifications are
> just not viable.  I tried.  Its really bad.  

Yes for right now, a good bit of the priorities aren't worth watching.
This is partially due to weird classicfactions like "bad-unknown" and
partially tdue to snort not having a to easily differentiate between
an attempted- and a successful-

To do this, nearly a whole set of rules that operate only on stuff
once tagged seems to be to separate the CMD.EXE 200's from the CMD.EXE
404s or whatever.

> Attached is the classification.config that will be included with snort
> 1.8.1 (Well, included into CVS as soon as I can clean up the rules)
> 
> If you have wishes/requests for default classifications, let me know
> ASAP.  I will start changing rules within the next 2 days.
>

Atleast keep the same order that was already defined where larger
numerical magnitude means higher priority.

I don't think url-access/exploit are any different than attempted-user
in the large scheme of things.

service-probe for like a bind.version
attempted-admin for an root exploit

attempted-user for an exploit that will give you nobody privledges

host-mapping == os identification? That sounds like a specific
information


> -- 
> Brian Caswell
> The MITRE Corporation
> 
> config classification: information,Informational Alert,4
> config classification: policy-violation,Policy Violation,3
> config classification: port-access,Port Scan,3
> config classification: information-leak,Information Leak,3
> config classification: misc-suspicious,Suspicious Traffic,2
> config classification: port-scan,Port Scan,2
> config classification: host-mapping,Host Mapping,2
> config classification: attack-responce,Responce from an Attack,2
> config classification: attempted-url-access,Attempted URL Access,2
> config classification: attempted-url-exploit,Attempted URL Exploit,1
> config classification: attempted-admin, Attempted User Privilage Gain,1
> config classification: attempted-user, Attempted Administrative Privilage Gain,1

-- 
Chris Green <cmg at ...81...>
A good pun is its own reword.




More information about the Snort-devel mailing list