[Snort-sigs] [Snort-devel] New Proposed Classification.config file setup
roesch at ...435...
Thu Dec 23 22:54:13 EST 2010
On Thu, Dec 23, 2010 at 5:27 PM, Joel Esler <jesler at ...435...> wrote:
> As mentioned earlier, here's the proposed Classification.config file setup
> posted and available for download here:
> Please take a look, leave comments preferably on the blog, but also here
> would be fine.
It appears that there's two levels of information here, why not have a
class and subclass? For example:
should maybe be
category: exploit; class: shellcode;
category: exploit; class: sql-injection;
category: exploit; class: browser;
Having the different levels of granularity could be useful for things
list real-time response mechanisms that act on just the category or
whatever. Just thinking out loud here.
Furthermore, maybe we should be thinking about really fixing the
classification system with static value assignments for categories and
classes and mappings between values and human readable strings. I
imagine this could make machine processing easier if we had output
options that could generate either (more easily) machine readable or
human readable data. This would also make the runtime loading more
sane, no more classification.config line order-dependent
I mean, if we're going to fix it why not fix it right?
Any log management/SIEM people paying attention on-list? This is a
chance to make your lives easier if you've got any input!
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
More information about the Snort-sigs