[Snort-devel] classification changes

Brian Caswell bmc at ...227...
Wed May 23 09:53:31 EDT 2001


Chris Green wrote:
> [ is there anyone on devel that isn't on users? ]

no idea.  Since this affects both developers AND users, I e-mailed
both.

> > Attached is the classification.config that will be included with snort
> > 1.8.1 (Well, included into CVS as soon as I can clean up the rules)
> >
> > If you have wishes/requests for default classifications, let me know
> > ASAP.  I will start changing rules within the next 2 days.
> >
> 
> Atleast keep the same order that was already defined where larger
> numerical magnitude means higher priority.

Thats a simple change in your classification.config

Since many NIDS shops use RealSecure and snort, I've elected to make
the default priorities follow sort of the same scheme.  (With a bit
more brain cells to classifying rules, that's for sure)

If there is a generalized consent that we want priorities done in low
to high instead of high to low, then I'll change it.  NOTE:  That
means if you want it, you MUST speak up.

> I don't think url-access/exploit are any different than attempted-user
> in the large scheme of things.

Actually, I do.  One is an exploit.  One is just a probe.  I'm much
more concerned if someone does /scripts/../../../winnt/cmd.exe than if
they do /cgi-bin/phf

> service-probe for like a bind.version
> attempted-admin for an root exploit
> 
> attempted-user for an exploit that will give you nobody privledges
> 
> host-mapping == os identification? That sounds like a specific
> information

host-mapping would contain NMAP probes, and things host -> many hosts
targetting a single port.  Actually, I will be releasing HOMER soon,
an alert correlation engine that we at MITRE have developed.  (See the
SANS paper on Intrusion Detection & Data Mining)  This classification
is used by those things.  

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-devel mailing list