[Snort-sigs] [Snort-users] [Emerging-Sigs] New Classification System Proposal

Paul Halliday paul.halliday at ...2420...
Thu Dec 23 16:15:18 EST 2010

On Thu, Dec 23, 2010 at 3:25 PM, Joel Esler <jesler at ...435...> wrote:
> All,
> (Apologize in advance for cross-posting)
> Have some news to share from our side.
> After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.
> Just a couple items however:
> 1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
> 2.  We don't use "_", so we'll translate those over to "-".
> 3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.
> For example: Exploit-SQL_Injection will become exploit-sql-injection

So the same, but different :)

I think that all lowercase makes sense. I also think that an
underscore makes sense. Without it, more logic will be required when
trying to group.

More information about the Snort-sigs mailing list