[Snort-sigs] [Emerging-Sigs] New Proposed Classification.config file setup
frank at ...1978...
Mon Dec 27 15:30:00 EST 2010
On Thu, 2010-12-23 at 17:27 -0500, Joel Esler wrote:
> As mentioned earlier, here's the proposed Classification.config file
> setup posted and available for download here:
> Please take a look, leave comments preferably on the blog, but also
> here would be fine.
I think that's way overkill. If you attempt to include all protocols
into a classification system, you'll create more complexity and
potential confusion, making the system less useful. For starters, where
is exploit-pop3? (add your favorite protocol that's not on the list).
Class and subclass concept is fine. We've been using such a
classification in our system for while. However, breaking it out by type
and protocol does not appear to make much sense, at least to me.
I believe a simpler system that doesn't mushroom by the power of 2 would
be more effective and easier to use.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 826 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs