[Snort-devel] classification changes
cmg at ...81...
Wed May 23 12:24:26 EDT 2001
Brian Caswell <bmc at ...227...> writes:
> > I don't think url-access/exploit are any different than attempted-user
> > in the large scheme of things.
> Actually, I do. One is an exploit. One is just a probe. I'm much
> more concerned if someone does /scripts/../../../winnt/cmd.exe than if
> they do /cgi-bin/phf
Thats what I was trying to say. Didn't say it clearly enough
> > service-probe for like a bind.version
> > attempted-admin for an root exploit
> > attempted-user for an exploit that will give you nobody privledges
phf would be a service-probe, cmd would be an attempted-user
I was arguing that url-attempt / url-exploit are the same as a
service-probe and an attempted-user-exploit
> > host-mapping == os identification? That sounds like a specific
> > information
> host-mapping would contain NMAP probes, and things host -> many hosts
> targetting a single port. Actually, I will be releasing HOMER soon,
> an alert correlation engine that we at MITRE have developed. (See the
> SANS paper on Intrusion Detection & Data Mining) This classification
> is used by those things.
Ah, I would have called host-mapping "network-mapping".
Chris Green <cmg at ...81...>
"Yeah, but you're taking the universe out of context."
More information about the Snort-devel