[Snort-sigs] [Snort-devel] [Emerging-Sigs] New Proposed Classification.config file setup

onelson onelson at ...2420...
Tue Mar 22 10:08:43 EDT 2011


Sorry I'm coming to this thread a bit late. I'm going to have to take a 
minute to pick through all that's been posted here, but I just wanted to say 
that in the short
time I've been working with snort, the thing that's struck me as a pain are 
the events with sigs that aren't classified at all. Maybe this is not the 
role of the engine itself, 
but I'd almost like to see snort refuse to load rules that match sigs that 
are missing a class.

I love the idea of using tags (many to many) rather than a straight sig 
class (one to many), but in the case of illustrating protocols/services in 
play for 
the sig I'd say the data is already there. It should be up to the log viewer 
or analyst to query for ports, etc.

Also, integers ftw! I'd love it if the ids for these new class/tag records 
could be defined up front, but I guess that's one of those things.

Regards,
Owen Nelson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110322/efcb4c15/attachment.html>


More information about the Snort-sigs mailing list