[Snort-users] Re: [Snort-devel] classification changes
cmg at ...671...
Wed May 23 09:16:17 EDT 2001
[ is there anyone on devel that isn't on users? ]
Brian Caswell <bmc at ...312...> writes:
> We are going to change the classification for the Snort.org ruleset.
> Sorry IDWG guys, your classifications. The IDWG classifications are
> just not viable. I tried. Its really bad.
Yes for right now, a good bit of the priorities aren't worth watching.
This is partially due to weird classicfactions like "bad-unknown" and
partially tdue to snort not having a to easily differentiate between
an attempted- and a successful-
To do this, nearly a whole set of rules that operate only on stuff
once tagged seems to be to separate the CMD.EXE 200's from the CMD.EXE
404s or whatever.
> Attached is the classification.config that will be included with snort
> 1.8.1 (Well, included into CVS as soon as I can clean up the rules)
> If you have wishes/requests for default classifications, let me know
> ASAP. I will start changing rules within the next 2 days.
Atleast keep the same order that was already defined where larger
numerical magnitude means higher priority.
I don't think url-access/exploit are any different than attempted-user
in the large scheme of things.
service-probe for like a bind.version
attempted-admin for an root exploit
attempted-user for an exploit that will give you nobody privledges
host-mapping == os identification? That sounds like a specific
> Brian Caswell
> The MITRE Corporation
> config classification: information,Informational Alert,4
> config classification: policy-violation,Policy Violation,3
> config classification: port-access,Port Scan,3
> config classification: information-leak,Information Leak,3
> config classification: misc-suspicious,Suspicious Traffic,2
> config classification: port-scan,Port Scan,2
> config classification: host-mapping,Host Mapping,2
> config classification: attack-responce,Responce from an Attack,2
> config classification: attempted-url-access,Attempted URL Access,2
> config classification: attempted-url-exploit,Attempted URL Exploit,1
> config classification: attempted-admin, Attempted User Privilage Gain,1
> config classification: attempted-user, Attempted Administrative Privilage Gain,1
Chris Green <cmg at ...671...>
A good pun is its own reword.
More information about the Snort-users