[Snort-users] classification.config disagrees with manual?

Crow, Owen Owen_Crow at ...2639...
Mon Nov 19 09:15:10 EST 2001

The manual entry for Classtype (2.3.28) shows the default priorities for
different classifications.  The priority is a higher number for more
important classes.  For example a "Successful Administrator Privilege Gain"
has priority 11 while "Not Suspicious Traffic" has a priority of 0.

This seems to disagree with the classification.config found in
snortrules.tar.gz which only has priorities ranging from 1 to 4 where 1 is
the highest priority.  For example, "Successful Administrator Privilege
Gain" is 1 and "A TCP connection was detected" is 4.

Am I missing something in the docs to explain this?  I'm running 1.8.2 but
with the latest rules snapshot and the docs off the web

I plan to eliminate all but the most important rules using a script to
comment out the ones with the wrong priority or class.  If there's a better
way, please let me know.  Monitoring WAN links is pretty noisy with all the
rules on...

Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

More information about the Snort-users mailing list