[Snort-devel] classification changes
bmc at ...227...
Wed May 23 09:53:31 EDT 2001
Chris Green wrote:
> [ is there anyone on devel that isn't on users? ]
no idea. Since this affects both developers AND users, I e-mailed
> > Attached is the classification.config that will be included with snort
> > 1.8.1 (Well, included into CVS as soon as I can clean up the rules)
> > If you have wishes/requests for default classifications, let me know
> > ASAP. I will start changing rules within the next 2 days.
> Atleast keep the same order that was already defined where larger
> numerical magnitude means higher priority.
Thats a simple change in your classification.config
Since many NIDS shops use RealSecure and snort, I've elected to make
the default priorities follow sort of the same scheme. (With a bit
more brain cells to classifying rules, that's for sure)
If there is a generalized consent that we want priorities done in low
to high instead of high to low, then I'll change it. NOTE: That
means if you want it, you MUST speak up.
> I don't think url-access/exploit are any different than attempted-user
> in the large scheme of things.
Actually, I do. One is an exploit. One is just a probe. I'm much
more concerned if someone does /scripts/../../../winnt/cmd.exe than if
they do /cgi-bin/phf
> service-probe for like a bind.version
> attempted-admin for an root exploit
> attempted-user for an exploit that will give you nobody privledges
> host-mapping == os identification? That sounds like a specific
host-mapping would contain NMAP probes, and things host -> many hosts
targetting a single port. Actually, I will be releasing HOMER soon,
an alert correlation engine that we at MITRE have developed. (See the
SANS paper on Intrusion Detection & Data Mining) This classification
is used by those things.
The MITRE Corporation
More information about the Snort-devel