[Snort-sigs] [Emerging-Sigs] Classifications and Tags

Joel Esler jesler at ...435...
Wed Mar 23 21:19:08 EDT 2011


Oop, meant to add snort-sigs to this.  But yes, like we have stated previously via the blog, we are willing to make the modifications to the classifications with minor modifications.

J

On Mar 23, 2011, at 8:00 PM, Joel Esler wrote:

> We are willing to incorporate these classifications into the VRT ruleset with minor modifications. 
> 
> --
> Sent from my iPhone
> Forgive my misspellings and briefness
> 
> On Mar 23, 2011, at 12:15 PM, Matthew Jonkman <jonkman at ...3525...> wrote:
> 
>> So we've had discussions about the new classification scheme proposed and donated by Alienvault, that's been well received I think and we've added a few new categories to it. The most current version with a few things added is here:
>> 
>> http://www.emergingthreats.net/new_classifications_v2.txt
>> 
>> The subsequent discussion about using tags in the metadata: directive is also an excellent idea. The fact that rules could then belong to more than one tag/category is a spectacular end result. To implement that though it'll require all of the end products to adapt. So that'll take some time. I think we should go down that road, but in the interim we should most definitely still use the new classifications.
>> 
>> We'll implement these in the ET Open and Pro rulesets for Snort rules and Suricata rules within the next two months, but will still publish the rulesets with the old classifications as well. This will make things a bit more complex, as you'll have to choose the ruleset that works for you, but this way we don't have to end of life anything that's out there and has the existing classifications hard coded, nor do we force any SIEM installations to freak out if they're not updated. They can continue to use the old classifications. 
>> 
>> If that works for everyone we'll go forward that way. Please keep suggesting new categories for the system, but I'm sure we'll have them added as we implement as well. 
>> 
>> Matt
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630 x110
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

--
Joel Esler
http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
Twitter: http://twitter.com/snort





More information about the Snort-sigs mailing list