[Snort-sigs] [Emerging-Sigs] New Classification System Proposal
jesler at ...435...
Thu Dec 23 14:25:47 EST 2010
(Apologize in advance for cross-posting)
Have some news to share from our side.
After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping snort.conf and the VRT rule sets to it as well. We are creating a bug internally to do this, as we speak.
Just a couple items however:
1. We've already started writing the new classification.conf file (with new priorities and descriptions). If you have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
2. We don't use "_", so we'll translate those over to "-".
3. We also don't use uppercase in the keywords, so we'll translate those to lower case.
For example: Exploit-SQL_Injection will become exploit-sql-injection
I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the community updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog (http://vrt-sourcefire.blogspot.com).
Please feel free to email me with any questions! Thanks!
Manager, OpenSource Community
On Dec 15, 2010, at 2:42 PM, Matthew Jonkman wrote:
> Alienvault and Emerging Threats Pro have some very good news to share. Alienvault has been for some time working on and using a much more granular and expressive classification system for Snort and Suricata alerts. Emerging Threats and Emerging Threats Pro intend to adopt this classification system as an option for users, and we want to get your input. There are about 240 categories now, and we want to get everything added or changed that might be necessary while we're adopting the system.
> The proposed classification system is available here as well as being at the end of this message:
> We welcome your comment on what to add or change in this classification system. The goal is to make correlation and analysis systems able to make better decisions based on classifications, and potentially even allow blocking decisions to be made by classtype. The current classifications in use are vague and haven't been updated for some time, and many systems are making decisions based on them without much distinction between categories. So we'd like to make that better.
> Alienvault has done a lot of work in this area already and they'd like to push that out to the community. We'd like to take a week or two to let everyone look these over and comment, and then we'll get a version agreed upon and begin using that.
> For Emerging Threats and Emerging Threats Pro users it'll take us some time to reclassify the rules, but we'll get it done. We will publish two versions of the ruleset, one with the old classifications, and one with the new. The old classifications will be included in the new classifications file so we don't have any issues with backward compatible rules.
> We welcome other comments and concerns, but we're very excited about what Alienvault is donating to the community, and we're eager to implement!
> Please feel free to comment on the blog (http://blog/emergingthreatspro.com) or here.
> Matthew Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> PGP: http://www.jonkmans.com/mattjonkman.asc
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Snort-sigs