[Snort-devel] Re: [Snort-users] classification changes

Max Vision vision at ...195...
Wed May 23 11:01:17 EDT 2001


At 02:11 AM 5/23/2001 -0400, Brian Caswell wrote:
>We are going to change the classification for the Snort.org ruleset.
>Sorry IDWG guys, your classifications.  The IDWG classifications are
>just not viable.  I tried.  Its really bad.
>Attached is the classification.config that will be included with snort
>1.8.1 (Well, included into CVS as soon as I can clean up the rules)
>If you have wishes/requests for default classifications, let me know
>ASAP.  I will start changing rules within the next 2 days.
I wrote some info about this before but had email problems and it seems to 
be gone (and not sent).  Basically we came up with a good classification 
system last week that has so far been a good fit for all of the intrusion 
events.  You can see this implemented at 
http://whitehats.com/ids/vision18.conf.gz

You can see an overview of how this breaks down at:
http://whitehats.com/cgi/arachNIDS/BrowseTree?field=classtype&order=COUNT

The system we came up with is the following 20 classifications:
  not suspicious  (policy foo)
  suspicious (miscellaneous such as source routing ip opts)
  info / attempt,success,failed (information gathering)
  relay / attempt,success,failed (relay vuln like socks, spam, etc)
  data / attempt,success,failed (data integrity, such as snmp write)
  system / attempt,success,failed (system integrity, such as shell access)
  client / attempt,success,failed (client software attacks)
  data-or-info-attempt
  system-or-info-attempt
  relay-or-info-attempt

This allowed us to classify each known intrusion event. It was a struggle 
with the IDWG system.  The last three categories were required since we 
have a lot of events where we can't see clearly which class the event is 
in.  For example, a signature to catch just "phf" in uricontent data would 
catch either an information gathering probe (is phf there?) or a system 
integrity attempt (let's push this linefeed through and run some 
commands).  So it would be inappropriate to pick one or the other unless 
there were several very specific variations of the signature to case each 
case.  I can list some examples of why these classifications were chosen is 
anyone needs the info.

Max





More information about the Snort-devel mailing list