[Snort-sigs] [Emerging-Sigs] New Proposed Classification.config file setup

Frank Knobbe frank at ...1978...
Mon Dec 27 15:30:00 EST 2010

On Thu, 2010-12-23 at 17:27 -0500, Joel Esler wrote:
> As mentioned earlier, here's the proposed Classification.config file
> setup posted and available for download here:
> http://blog.snort.org/2010/12/new-proposed-classificationconfig-file.html
> Please take a look, leave comments preferably on the blog, but also
> here would be fine.  

I think that's way overkill. If you attempt to include all protocols
into a classification system, you'll create more complexity and
potential confusion, making the system less useful. For starters, where
is exploit-pop3? (add your favorite protocol that's not on the list).

Class and subclass concept is fine. We've been using such a
classification in our system for while. However, breaking it out by type
and protocol does not appear to make much sense, at least to me.

I believe a simpler system that doesn't mushroom by the power of 2 would
be more effective and easier to use.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 826 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101227/5befa28f/attachment.sig>

More information about the Snort-sigs mailing list