[Snort-users] Re: [Snort-devel] classification changes

Mike Johnson mike at ...874...
Wed May 23 10:54:24 EDT 2001

Chris Green [cmg at ...671...] wrote:
> Brian Caswell <bmc at ...312...> writes:
> > We are going to change the classification for the Snort.org ruleset. 
> > Sorry IDWG guys, your classifications.  The IDWG classifications are
> > just not viable.  I tried.  Its really bad.  
> Yes for right now, a good bit of the priorities aren't worth watching.
> This is partially due to weird classicfactions like "bad-unknown" and
> partially tdue to snort not having a to easily differentiate between
> an attempted- and a successful-

I'm actually quite happy with the current priorities.  I simply
filter out the first three (not-suspicious, unknown, bad-unknown).
I like that they're there, though, in case I want to have a
better view of my network. 

In the end, I'll cope.  I always knew using code from CVS was
subject to change.
> To do this, nearly a whole set of rules that operate only on stuff
> once tagged seems to be to separate the CMD.EXE 200's from the CMD.EXE
> 404s or whatever.

There's already some rules that have successful- tags.  I think
I only noticed one or two that weren't DDoS related (like zombie to
handler comminucations), though.  But separating the CMD.EXE's like
you mention could bequite useful.

> Atleast keep the same order that was already defined where larger
> numerical magnitude means higher priority.

Consider this a 'me too' vote.  Both methods have their disadvantages
when it comes to adding new priorities (you can't insert a new
rule with a discrete (no other rules with this priority) priority of 2  
into either without renumbering most all of them.  But I'm quite used
to a higher number meaning a higher priority.
> I don't think url-access/exploit are any different than attempted-user
> in the large scheme of things.

Agreed.  Exploiting a cgi grants user access at best, or on IIS
boxes it grants admin.
> service-probe for like a bind.version

Currently attempted-recon.  At the very least, I like the 
service-probe name better as it's a bit more descriptive as to
what's going on.  But what about probes for listening trojans
and looking for zombies?

> attempted-admin for an root exploit

> attempted-user for an exploit that will give you nobody privledges

Or whatever user your daemon runs as.
If at first you don't succeed, destroy all evidence that you tried -- unknown

More information about the Snort-users mailing list