[Snort-users] classification.config disagrees with manual?
Owen_Crow at ...2639...
Mon Nov 19 09:15:10 EST 2001
The manual entry for Classtype (2.3.28) shows the default priorities for
different classifications. The priority is a higher number for more
important classes. For example a "Successful Administrator Privilege Gain"
has priority 11 while "Not Suspicious Traffic" has a priority of 0.
This seems to disagree with the classification.config found in
snortrules.tar.gz which only has priorities ranging from 1 to 4 where 1 is
the highest priority. For example, "Successful Administrator Privilege
Gain" is 1 and "A TCP connection was detected" is 4.
Am I missing something in the docs to explain this? I'm running 1.8.2 but
with the latest rules snapshot and the docs off the web
I plan to eliminate all but the most important rules using a script to
comment out the ones with the wrong priority or class. If there's a better
way, please let me know. Monitoring WAN links is pretty noisy with all the
Systems Programmer (Unix)
BMC Software, Inc.
More information about the Snort-users