[Snort-devel] Re: [Snort-users] classification changes
vision at ...195...
Wed May 23 11:01:17 EDT 2001
At 02:11 AM 5/23/2001 -0400, Brian Caswell wrote:
>We are going to change the classification for the Snort.org ruleset.
>Sorry IDWG guys, your classifications. The IDWG classifications are
>just not viable. I tried. Its really bad.
>Attached is the classification.config that will be included with snort
>1.8.1 (Well, included into CVS as soon as I can clean up the rules)
>If you have wishes/requests for default classifications, let me know
>ASAP. I will start changing rules within the next 2 days.
I wrote some info about this before but had email problems and it seems to
be gone (and not sent). Basically we came up with a good classification
system last week that has so far been a good fit for all of the intrusion
events. You can see this implemented at
You can see an overview of how this breaks down at:
The system we came up with is the following 20 classifications:
not suspicious (policy foo)
suspicious (miscellaneous such as source routing ip opts)
info / attempt,success,failed (information gathering)
relay / attempt,success,failed (relay vuln like socks, spam, etc)
data / attempt,success,failed (data integrity, such as snmp write)
system / attempt,success,failed (system integrity, such as shell access)
client / attempt,success,failed (client software attacks)
This allowed us to classify each known intrusion event. It was a struggle
with the IDWG system. The last three categories were required since we
have a lot of events where we can't see clearly which class the event is
in. For example, a signature to catch just "phf" in uricontent data would
catch either an information gathering probe (is phf there?) or a system
integrity attempt (let's push this linefeed through and run some
commands). So it would be inappropriate to pick one or the other unless
there were several very specific variations of the signature to case each
case. I can list some examples of why these classifications were chosen is
anyone needs the info.
More information about the Snort-devel