[Snort-sigs] Classification.config

frenzy at ...1823... frenzy at ...1823...
Fri Aug 29 09:44:16 EDT 2003


It uses the classification.config file in your rules directory.
Basically, it takes each threat type, and matches it up with the
corresponding occurance in that file. So in the default
classification.config,
config classification: not-suspicious,Not Suspicious Traffic,3
is the first line, so it would be classification 1.

Take a look in void ParseClassificationConfig(char *args) in signature.c

Hope this helps.

Randy

http://www.frenzy.org
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal

This communication (including any attachments) is intended for the use of the intended
recipient only and may contain information that is confidential, privileged or legally
protected. Any unauthorized use or dissemination of this communication is strictly
prohibited. If you have received this communication in error, please immediately notify
the sender by return e-mail message and delete all copies of the original communication.
Thank you for your cooperation.





On Tue, 26 Aug 2003, Williams, Colby E. wrote:

Can someone please explain to me how SNORT determines what rules get
what classification?



Colby





More information about the Snort-sigs mailing list