[Snort-users] Re: [Snort-devel] classification changes

Chris Green cmg at ...671...
Wed May 23 12:24:26 EDT 2001


Brian Caswell <bmc at ...312...> writes:
> > I don't think url-access/exploit are any different than attempted-user
> > in the large scheme of things.
> 
> Actually, I do.  One is an exploit.  One is just a probe.  I'm much
> more concerned if someone does /scripts/../../../winnt/cmd.exe than if
> they do /cgi-bin/phf

Thats what I was trying to say. Didn't say it clearly enough

> > service-probe for like a bind.version
> > attempted-admin for an root exploit
> > 
> > attempted-user for an exploit that will give you nobody privledges

phf would be a service-probe, cmd would be an attempted-user

I was arguing that url-attempt / url-exploit are the same as a
service-probe and an attempted-user-exploit


> > host-mapping == os identification? That sounds like a specific
> > information
> 
> host-mapping would contain NMAP probes, and things host -> many hosts
> targetting a single port.  Actually, I will be releasing HOMER soon,
> an alert correlation engine that we at MITRE have developed.  (See the
> SANS paper on Intrusion Detection & Data Mining)  This classification
> is used by those things.  

Ah, I would have called host-mapping "network-mapping".

-- 
Chris Green <cmg at ...671...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-users mailing list