[Snort-devel] Version 1.8.7beta5 (Build 127) classification.config

Phil Wood cpw at ...86...
Tue Jun 25 16:33:02 EDT 2002

Why the patch below makes all the difference in the world, I don't know.
There is something foobah with the parsing of the classification.config.
If the patch is not in place, the mapping doesn't work, and you get

[Classification:  sig] inplace of
[Classification: access to potentially vulnerable web application]

Too freaky for words.  Either there are some non-ascii characters buried
somehwere in the rules or the classifiation.config, or some string lengths
are whaco.  Ruined my day.  See you in Boston?

dif classification.config /tmp/classification.config
--- classification.config       Mon May 27 19:38:25 2002
+++ /tmp/classification.config  Tue Jun 25 23:26:30 2002
@@ -56,7 +56,7 @@
 config classification: denial-of-service,Detection of a Denial of Service Attack,2
 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
 config classification: protocol-command-decode,Generic Protocol Command Decode,3
-config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: webapplication-activity,access to potentially vulnerable web application,2
 config classification: web-application-attack,Web Application Attack,1
 config classification: misc-activity,Misc activity,3
 config classification: misc-attack,Misc Attack,2

More information about the Snort-devel mailing list