[Snort-sigs] [Snort-devel] [Emerging-Sigs] New Proposed Classification.config file setup
onelson at ...2420...
Tue Mar 22 10:08:43 EDT 2011
Sorry I'm coming to this thread a bit late. I'm going to have to take a
minute to pick through all that's been posted here, but I just wanted to say
that in the short
time I've been working with snort, the thing that's struck me as a pain are
the events with sigs that aren't classified at all. Maybe this is not the
role of the engine itself,
but I'd almost like to see snort refuse to load rules that match sigs that
are missing a class.
I love the idea of using tags (many to many) rather than a straight sig
class (one to many), but in the case of illustrating protocols/services in
the sig I'd say the data is already there. It should be up to the log viewer
or analyst to query for ports, etc.
Also, integers ftw! I'd love it if the ids for these new class/tag records
could be defined up front, but I guess that's one of those things.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs