[Snort-users] Re: [Snort-devel] classification changes
mike at ...874...
Wed May 23 10:54:24 EDT 2001
Chris Green [cmg at ...671...] wrote:
> Brian Caswell <bmc at ...312...> writes:
> > We are going to change the classification for the Snort.org ruleset.
> > Sorry IDWG guys, your classifications. The IDWG classifications are
> > just not viable. I tried. Its really bad.
> Yes for right now, a good bit of the priorities aren't worth watching.
> This is partially due to weird classicfactions like "bad-unknown" and
> partially tdue to snort not having a to easily differentiate between
> an attempted- and a successful-
I'm actually quite happy with the current priorities. I simply
filter out the first three (not-suspicious, unknown, bad-unknown).
I like that they're there, though, in case I want to have a
better view of my network.
In the end, I'll cope. I always knew using code from CVS was
subject to change.
> To do this, nearly a whole set of rules that operate only on stuff
> once tagged seems to be to separate the CMD.EXE 200's from the CMD.EXE
> 404s or whatever.
There's already some rules that have successful- tags. I think
I only noticed one or two that weren't DDoS related (like zombie to
handler comminucations), though. But separating the CMD.EXE's like
you mention could bequite useful.
> Atleast keep the same order that was already defined where larger
> numerical magnitude means higher priority.
Consider this a 'me too' vote. Both methods have their disadvantages
when it comes to adding new priorities (you can't insert a new
rule with a discrete (no other rules with this priority) priority of 2
into either without renumbering most all of them. But I'm quite used
to a higher number meaning a higher priority.
> I don't think url-access/exploit are any different than attempted-user
> in the large scheme of things.
Agreed. Exploiting a cgi grants user access at best, or on IIS
boxes it grants admin.
> service-probe for like a bind.version
Currently attempted-recon. At the very least, I like the
service-probe name better as it's a bit more descriptive as to
what's going on. But what about probes for listening trojans
and looking for zombies?
> attempted-admin for an root exploit
> attempted-user for an exploit that will give you nobody privledges
Or whatever user your daemon runs as.
If at first you don't succeed, destroy all evidence that you tried -- unknown
More information about the Snort-users