[Snort-devel] [Emerging-Sigs] New Proposed Classification.config file setup

Nigel Houghton nhoughton at ...402...
Tue Mar 22 10:51:12 EDT 2011


On Tue, 22 Mar 2011 07:08:43 -0700 (PDT), onelson wrote:
> Sorry I'm coming to this thread a bit late. I'm going to have to take 
> a minute to pick through all that's been posted here, but I just 
> wanted to say that in the short
> time I've been working with snort, the thing that's struck me as a 
> pain are the events with sigs that aren't classified at all. Maybe 
> this is not the role of the engine itself, 
> but I'd almost like to see snort refuse to load rules that match sigs 
> that are missing a class.
> 
> I love the idea of using tags (many to many) rather than a straight 
> sig class (one to many), but in the case of illustrating 
> protocols/services in play for 
> the sig I'd say the data is already there. It should be up to the log 
> viewer or analyst to query for ports, etc.
> 
> Also, integers ftw! I'd love it if the ids for these new class/tag 
> records could be defined up front, but I guess that's one of those 
> things.
> 
> Regards,
> Owen Nelson

Which rules without classtype are you referring to? I don't see any 
rules (regular, shared object and preprocessor) without a classtype at 
all.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/




More information about the Snort-devel mailing list