[Snort-sigs] [Emerging-Sigs] New Classification System Proposal

Darren Spruell phatbuckett at ...2420...
Thu Dec 23 18:05:56 EST 2010


+1

I like the additional granularity this will provide although at the
expense of some complexity in rule creation and handling (thinking
SIEMs, etc.).

Nice bipartisan move with the various representative communities too,
well done! (Maybe US Congress could ... never mind).

DS

On Thu, Dec 23, 2010 at 2:02 PM, Matthew Jonkman
<jonkman at ...3525...> wrote:
> Reminder (sorry to spam)
>
> Go here to see the list, and leave comments, or discuss here on the list.
> http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html
>
> Matt
>
>
> On Dec 23, 2010, at 3:51 PM, Matthew Jonkman wrote:
>
>> Certainly glad to hear that Joel! I think it'll be a good thing for us all to have similar classifications.
>>
>> I'd like to encourage everyone that's interested to put in your suggestions for additions and changes now.
>>
>> How about we call a January 12 2011 end date for suggestions? That gets us through the holidays and a week or more of everyone back to work before we and it.
>>
>> (plus I'm in no hurry to start reclassifying 14,000 signatures... :) )
>>
>> Matt
>>
>> On Dec 23, 2010, at 2:25 PM, Joel Esler wrote:
>>
>>> All,
>>>
>>> (Apologize in advance for cross-posting)
>>> Have some news to share from our side.
>>>
>>> After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.
>>>
>>> Just a couple items however:
>>> 1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
>>> 2.  We don't use "_", so we'll translate those over to "-".
>>> 3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.
>>>
>>> For example: Exploit-SQL_Injection will become exploit-sql-injection
>>>
>>> I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the community updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog (http://vrt-sourcefire.blogspot.com).
>>>
>>> Please feel free to email me with any questions!  Thanks!
>>>
>>> Joel Esler
>>> Manager, OpenSource Community
>>>
>>> On Dec 15, 2010, at 2:42 PM, Matthew Jonkman wrote:
>>>
>>>> Alienvault and Emerging Threats Pro have some very good news to share. Alienvault has been for some time working on and using a much more granular and expressive classification system for Snort and Suricata alerts. Emerging Threats and Emerging Threats Pro intend to adopt this classification system as an option for users, and we want to get your input. There are about 240 categories now, and we want to get everything added or changed that might be necessary while we're adopting the system.
>>>>
>>>> The proposed classification system is available here as well as being at the end of this message:
>>>>
>>>> http://www.emergingthreats.net/new_classifications_v1.txt
>>>>
>>>> We welcome your comment on what to add or change in this classification system. The goal is to make correlation and analysis systems able to make better decisions based on classifications, and potentially even allow blocking decisions to be made by classtype. The current classifications in use are vague and haven't been updated for some time, and many systems are making decisions based on them without much distinction between categories. So we'd like to make that better.
>>>>
>>>> Alienvault has done a lot of work in this area already and they'd like to push that out to the community. We'd like to take a week or two to let everyone look these over and comment, and then we'll get a version agreed upon and begin using that.
>>>>
>>>> For Emerging Threats and Emerging Threats Pro users it'll take us some time to reclassify the rules, but we'll get it done. We will publish two versions of the ruleset, one with the old classifications, and one with the new. The old classifications will be included in the new classifications file so we don't have any issues with backward compatible rules.
>>>>
>>>> We welcome other comments and concerns, but we're very excited about what Alienvault is donating to the community, and we're eager to implement!
>>>>
>>>> Please feel free to comment on the blog (http://blog/emergingthreatspro.com) or here.
>>>>
>>>>
>>>> Exploit-Shellcode
>>>> Exploit-SQL_Injection
>>>> Exploit-Browser
>>>> Exploit-ActiveX
>>>> Exploit-Command_Execution
>>>> Exploit-Cross_Site_Scripting
>>>> Exploit-FTP
>>>> Exploit-File_Inclusion
>>>> Exploit-Windows
>>>> Exploit-Directory_Traversal
>>>> Exploit-Attack_Response
>>>> Exploit-Denial_Of_Service
>>>> Exploit-PDF
>>>> Exploit-Buffer_Overflow
>>>> Exploit-Spoofing
>>>> Exploit-Format_String
>>>> Exploit-Misc
>>>> Exploit-DNS
>>>> Exploit-Mail
>>>> Exploit-Samba
>>>> Exploit-Linux
>>>> Authentication-Bruteforce
>>>> Authentication-Bypass
>>>> Authentication-Login
>>>> Authentication-Failed
>>>> Authentication-Cleartext
>>>> Authentication-Logout
>>>> Authentication-Disclosure
>>>> Authentication-Default_Credentials
>>>> Access-Web_Application_Access
>>>> Access-File_Access
>>>> Access-Misc
>>>> Malware-Spyware
>>>> Malware-Adware
>>>> Malware-Fake_Antivirus
>>>> Malware-KeyLogger
>>>> Malware-Trojan
>>>> Malware-Virus
>>>> Malware-Worm
>>>> Malware-Generic
>>>> Malware-Backdoor
>>>> Policy-Porn
>>>> Policy-P2P
>>>> Policy-Instant_Messaging_Chat
>>>> Policy-Anonymity
>>>> Policy-Games
>>>> Policy-Other
>>>> Denial_Of_Service-Web_Application
>>>> Denial_Of_Service-Application
>>>> Denial_Of_Service-Flood
>>>> Denial_Of_Service-DDoS
>>>> Suspicious-Blacklist_Address
>>>> Suspicious-Web_Attack_or_Scan
>>>> Suspicious-Bad_Traffic
>>>> Suspicious-Network_Activity
>>>> Suspicious-Scada_Activity
>>>> Suspicious-DNS_Activity
>>>> Suspicious-SSH_Activity
>>>> Suspicious-NFS_Activity
>>>> Suspicious-Database_Activity
>>>> Suspicious-Netbios_Activity
>>>> Suspicious-RPC_Activity
>>>> Suspicious-Mail_Activity
>>>> Network-TFTP_Activity
>>>> Network-FTP_Activity
>>>> Network-SNMP_Activity
>>>> Network-SMTP_Activity
>>>> Network-Telnet_Activity
>>>> Recon-Misc
>>>> Recon-Scanner
>>>> Info-Misc
>>>> Network-NTP_Activity
>>>> Network-SIP_Activity
>>>> Network-DHCP_Activity
>>>> Access-Firewall_Permit
>>>> Access-Firewall_Deny
>>>> Access-ACL_Permit
>>>> Access-ACL_Deny
>>>> Authentication-Policy_Added
>>>> Authentication-Policy_Changed
>>>> Authentication-Policy_Deleted
>>>> Authentication-FTP_Login_Succeeded
>>>> Authentication-FTP_Login_Failed
>>>> Authentication-Password_Change_Failed
>>>> Authentication-Password_Change_Succeeded
>>>> Authentication-User_Created
>>>> Authentication-User_Deleted
>>>> Authentication-User_Changed
>>>> Authentication-Admin_Access
>>>> Authentication-Group_Added
>>>> Authentication-Group_Deleted
>>>> Authentication-Group_Changed
>>>> Authentication-Auth_Required
>>>> Authentication-Account_Lockout
>>>> Authentication-Account_Unlocked
>>>> Malware-Virus_Detected
>>>> Antivirus-Virus_Detected
>>>> Antivirus-Virus_Quarantine
>>>> Antivirus-Virus_Quarantine_Failed
>>>> System-Configuration_Error
>>>> Antivirus-Definitions_Updated
>>>> Antivirus-Definitions_Updated_Failed
>>>> Antivirus-Unknown_Event
>>>> Antivirus-Started
>>>> Antivirus-Disabled
>>>> Antivirus-Scan_Started
>>>> Antivirus-Scan_Finished
>>>> Antivirus-Error
>>>> Application-Web_Opened
>>>> Application-Web_Closed
>>>> Application-Web_Reset
>>>> Application-Web_Terminated
>>>> Application-Web_Denied
>>>> Application-Web_Redirected
>>>> Application-Web_Proxy
>>>> Application-Web_Error
>>>> Application-Web_Misc
>>>> Application-Web_Not_Found
>>>> Access-Traffic_Inbound
>>>> Access-Traffic_Outbound
>>>> Access-Firewall_Misc_Event
>>>> Suspicious-Network_Anomaly
>>>> Suspicious-DNS_Protocol_Anomaly
>>>> Suspicious-SSH_Protocol_Anomaly
>>>> Suspicious-Telnet_Protocol_Anomaly
>>>> Suspicious-HTTP_Protocol_Anomaly
>>>> Suspicious-Mail_Protocol_Anomaly
>>>> Suspicious-FTP_Protocol_Anomaly
>>>> Suspicious-Threshold_Exceeded
>>>> Denial_Of_Service-Other
>>>> Access-File_Blocked
>>>> Access-Tunnel_Connection
>>>> Access-Tunnel_Closed
>>>> System-Warning
>>>> System-Emergency
>>>> System-Critical
>>>> System-Error
>>>> System-Notification
>>>> System-Information
>>>> System-Debug
>>>> System-Alert
>>>> Access-Connection_Opened
>>>> Access-Connection_Closed
>>>> Access-Timeout
>>>> System-Service_Started
>>>> System-Service_Stopped
>>>> System-Process_Started
>>>> System-Process_Stopped
>>>> Application-Spam_Detected
>>>> Application-Mail_Dropped
>>>> System-Restart
>>>> System-Started
>>>> System-Stopped
>>>> System-Locked
>>>> System-Unlocked
>>>> Network-IKE_Activity
>>>> Network-H.323_Activity
>>>> Network-PPP_Activity
>>>> Network-OCSP_Activity
>>>> Network-L2TP_Activity
>>>> Network-RIP_Activity
>>>> Network-PPTP_Activity
>>>> Network-SSL_Activity
>>>> Network-IGMP_Activity
>>>> Network-IPSEC_Activity
>>>> Network-PKI_Activity
>>>> Voip-Call_Started
>>>> Voip-Call_Ended
>>>> Voip-Misc
>>>> Network-BOOTP_Activity
>>>> Alert-IDS_Alert
>>>> Alert-IPS_Alert
>>>> Alert-HostIDS_Alert
>>>> Application-Mail_Sent
>>>> Application-Mail_Server_Misc
>>>> Application-Mail_Received
>>>> Availability-State_Up
>>>> Availability-State_Down
>>>> Availability-State_Critical
>>>> Availability-State_Warning
>>>> Availability-State_Unknown
>>>> Availability-State_Unreachable
>>>> Application-VPN_Opened
>>>> Application-VPN_Closed
>>>> Application-VPN_Denied
>>>> Application-VPN_Misc
>>>> System-Configuration_Changed
>>>> Network-Misc
>>>> Policy-Phishing
>>>> Wireless-New_Network
>>>> Wireless-Client_Associated
>>>> Wireless-Flood
>>>> Wireless-Disassociation
>>>> Wireless-Deauthentication
>>>> Wireless-Anomaly
>>>> Wireless-Spoofing
>>>> Wireless-Scanner_Detected
>>>> Wireless-Misc
>>>> Wireless-Probe
>>>> Inventory-Service_Detected
>>>> Inventory-Service_Change
>>>> Inventory-Service_Misc
>>>> Inventory-Operating_System_Detected
>>>> Inventory-Operating_System_Change
>>>> Inventory-Operating_System_Misc
>>>> Inventory-Mac_Detected
>>>> Inventory-Mac_Change
>>>> Inventory-Mac_Misc
>>>> Policy-Check_Failed
>>>> Policy-Check_Passed
>>>> Network-High_Load
>>>> Authentication-Error
>>>> Application-Web_Modified
>>>> Authentication-Misc
>>>> Application-DHCP_Release
>>>> Application-DHCP_Misc
>>>> Application-DHCP_Request
>>>> Application-DHCP_Lease
>>>> Application-DHCP_Pool_Exhausted
>>>> Application-DHCP_Error
>>>> System-Software_Installed
>>>> Honeypot-Connection_Opened
>>>> Honeypot-Attack_Detected
>>>> Honeypot-Connection_Closed
>>>> Honeypot-Misc
>>>> Application-DNS_Succesful_Zone_Tranfer
>>>> Application-DNS_Zone_Transfer_Failed
>>>> Application-DNS_Misc
>>>> Application-FTP_Command_Executed
>>>> Application-FTP_Error
>>>> Application-FTP_Connection_Opened
>>>> Application-FTP_Connection_Closed
>>>> Application-FTP_Misc
>>>> Database-Login
>>>> Database-Login_Failed
>>>> Database-Query
>>>> Database-Logout
>>>> Database-Stop
>>>> Database-Start
>>>> Database-Error
>>>> Database-Misc
>>>>
>>>>
>>>> ----------------------------------------------------
>>>> Matthew Jonkman
>>>> Emergingthreats.net
>>>> Emerging Threats Pro
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-807-8630
>>>> Fax 312-264-0205
>>>> http://www.emergingthreatspro.com
>>>> http://www.openinfosecfoundation.org
>>>> ----------------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...3335...
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
>> to consolidate database storage, standardize their database environment, and,
>> should the need arise, upgrade to a full multi-node Oracle RAC database
>> without downtime or disruption
>> http://p.sf.net/sfu/oracle-sfdevnl
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>



-- 
Darren Spruell
phatbuckett at ...2420...




More information about the Snort-sigs mailing list