[Snort-sigs] ..:: Unclassified rules ::..

Joel Esler jesler at ...435...
Fri Mar 25 17:08:15 EDT 2011


Don't you have to specify to barnyard2 where to find the
classification.config file?

Joel

On Thu, Mar 24, 2011 at 8:04 PM, Alfonso Alejandro Reyes Jimenez <
aareyes at ...3581...> wrote:

> Hi Joel, yeap I’m using barnyard2.
>
>
>
> Regards.
>
>
>
>
>
> *De:* Joel Esler [mailto:jesler at ...435...]
> *Enviado el:* jueves, 24 de marzo de 2011 05:13 p.m.
> *Para:* Alfonso Alejandro Reyes Jimenez
> *CC:* snort-sigs at lists.sourceforge.net
> *Asunto:* Re: [Snort-sigs] ..:: Unclassified rules ::..
>
>
>
> How are you getting events into the database?    Are you using barnyard?
>
>
>
> Joel
>
>
>
> On Mar 24, 2011, at 5:54 PM, Alfonso Alejandro Reyes Jimenez wrote:
>
>
>
> Hi everyone.
>
>
>
> I have a question about the rules, this question may be stupid but I
> couldn’t find any information on web.
>
>
>
> My snorts works perfectly, no issues at all.
>
>
>
> We are creating customized rules for our servers for example:
>
>
>
> alert tcp any any -> $Mail 25 (content: "|76 72 66 79|"; msg: "Comando SMTP
> ilegal, posible reconocimiento"; sid:1999993; classtype:attempted-recon;)
>
>
>
> The rule works fine and Base shows the correct signature ID, the only issue
> is that the rule appear as *unclassified *in the gui. We have tried adding
> the classtype to the signature with no luck.
>
>
>
> How can we classify those rules?
>
>
>
> Thanks in advance for your help.
>
>
>
> Regards.
>
>
>
>
> --
> Joel Esler
> http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
>
> Twitter: http://twitter.com/snort
>
>
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110325/7a4b5bf0/attachment.html>


More information about the Snort-sigs mailing list